From 751ec83dfe2e6d7f84bc9883d23945fdda010519 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Fri, 19 Sep 2025 10:29:02 +0100 Subject: [PATCH 01/61] Add dependabot Signed-off-by: Arthit Suriyawongkul --- .github/dependabot.yml | 8 ++++++++ pom.xml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3cddd8c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + labels: + - "dependencies" diff --git a/pom.xml b/pom.xml index 262e74c..92dd8c1 100644 --- a/pom.xml +++ b/pom.xml @@ -55,7 +55,7 @@ https://sonarcloud.io spdx tools-java - 8.4.3 + 12.1.3 11 -Xdoclint:none From 4c30dff5da2d841fc8a3418969f4cbe2f0b08e6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Sep 2025 17:32:58 +0000 Subject: [PATCH 02/61] Bump org.apache.maven.plugins:maven-source-plugin from 3.2.1 to 3.3.1 Bumps [org.apache.maven.plugins:maven-source-plugin](https://github.com/apache/maven-source-plugin) from 3.2.1 to 3.3.1. - [Release notes](https://github.com/apache/maven-source-plugin/releases) - [Commits](https://github.com/apache/maven-source-plugin/compare/maven-source-plugin-3.2.1...maven-source-plugin-3.3.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-source-plugin dependency-version: 3.3.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 92dd8c1..ee6bb64 100644 --- a/pom.xml +++ b/pom.xml @@ -67,7 +67,7 @@ org.apache.maven.plugins maven-source-plugin - 3.2.1 + 3.3.1 attach-sources From 370c1a28e9118a3ce0893ea1757a15754ad22890 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 16:02:11 +0000 Subject: [PATCH 03/61] Bump org.apache.maven.plugins:maven-compiler-plugin Bumps [org.apache.maven.plugins:maven-compiler-plugin](https://github.com/apache/maven-compiler-plugin) from 3.11.0 to 3.14.1. - [Release notes](https://github.com/apache/maven-compiler-plugin/releases) - [Commits](https://github.com/apache/maven-compiler-plugin/compare/maven-compiler-plugin-3.11.0...maven-compiler-plugin-3.14.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-compiler-plugin dependency-version: 3.14.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 92dd8c1..eae6f0a 100644 --- a/pom.xml +++ b/pom.xml @@ -252,7 +252,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.11.0 + 3.14.1 ${project.build.sourceEncoding} true From 84697949da749265bcf345590996c6dc7a28b4d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 17:58:33 +0000 Subject: [PATCH 04/61] Bump org.spdx:spdx-tagvalue-store from 2.0.0 to 2.0.1 Bumps [org.spdx:spdx-tagvalue-store](https://github.com/spdx/spdx-java-tagvalue-store) from 2.0.0 to 2.0.1. - [Release notes](https://github.com/spdx/spdx-java-tagvalue-store/releases) - [Changelog](https://github.com/spdx/spdx-java-tagvalue-store/blob/master/RELEASE-CHECKLIST.md) - [Commits](https://github.com/spdx/spdx-java-tagvalue-store/compare/v2.0.0...v2.0.1) --- updated-dependencies: - dependency-name: org.spdx:spdx-tagvalue-store dependency-version: 2.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 61b6675..2d02f43 100644 --- a/pom.xml +++ b/pom.xml @@ -145,7 +145,7 @@ org.spdx spdx-tagvalue-store - 2.0.0 + 2.0.1 org.spdx From ce921e2677edca5bbf209ec667212aa52f27dfe8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 01:14:40 +0000 Subject: [PATCH 05/61] Bump org.spdx:spdx-maven-plugin from 1.0.2 to 1.0.3 Bumps [org.spdx:spdx-maven-plugin](https://github.com/spdx/spdx-maven-plugin) from 1.0.2 to 1.0.3. - [Release notes](https://github.com/spdx/spdx-maven-plugin/releases) - [Commits](https://github.com/spdx/spdx-maven-plugin/compare/v1.0.2...v1.0.3) --- updated-dependencies: - dependency-name: org.spdx:spdx-maven-plugin dependency-version: 1.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 61b6675..48e4de7 100644 --- a/pom.xml +++ b/pom.xml @@ -328,7 +328,7 @@ org.spdx spdx-maven-plugin - 1.0.2 + 1.0.3 build-spdx From 9699fee201f6b304e3ffc6af19a0a13daea3a47c Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Sat, 27 Sep 2025 22:03:35 +0100 Subject: [PATCH 06/61] Update dependencies Signed-off-by: Arthit Suriyawongkul --- README.md | 2 ++ pom.xml | 24 ++++++++++++------------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 0c9b5e6..4c35262 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # SPDX Tools + +[![Maven Central Version](https://img.shields.io/maven-central/v/org.spdx/tools-java)](https://central.sonatype.com/artifact/org.spdx/tools-java) [![javadoc](https://javadoc.io/badge2/org.spdx/tools-java/javadoc.svg)](https://javadoc.io/doc/org.spdx/tools-java) A command-line utility for creating, converting, comparing, diff --git a/pom.xml b/pom.xml index 4a75eb7..d5cba73 100644 --- a/pom.xml +++ b/pom.xml @@ -55,7 +55,7 @@ https://sonarcloud.io spdx tools-java - 12.1.3 + 12.1.6 11 -Xdoclint:none @@ -104,12 +104,12 @@ commons-io commons-io - 2.16.1 + 2.20.0 org.apache.commons commons-compress - 1.27.1 + 1.28.0 org.apache.ws.xmlschema @@ -125,22 +125,22 @@ org.spdx java-spdx-library - 2.0.0 + 2.0.1 org.spdx spdx-jackson-store - 2.0.2 + 2.0.3 org.spdx spdx-rdf-store - 2.0.0 + 2.0.1 org.spdx spdx-spreadsheet-store - 2.0.0 + 2.0.1 org.spdx @@ -150,12 +150,12 @@ org.spdx spdx-v3jsonld-store - 1.0.0 + 1.0.1 com.networknt json-schema-validator - 1.5.6 + 1.5.9 org.slf4j @@ -172,7 +172,7 @@ org.apache.jena jena-core - 5.2.0 + 5.5.0 compile @@ -232,7 +232,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.2.1 + 3.6.1 enforce-java @@ -263,7 +263,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 2.9.1 + 2.10.4 true 8 From dcddeb4018c4b877385df35cb2c190f070b0ac5b Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Sun, 28 Sep 2025 03:36:28 +0100 Subject: [PATCH 07/61] Update Maven Central link Signed-off-by: Arthit Suriyawongkul --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 4c35262..79dcb8e 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,5 @@ # SPDX Tools - [![Maven Central Version](https://img.shields.io/maven-central/v/org.spdx/tools-java)](https://central.sonatype.com/artifact/org.spdx/tools-java) [![javadoc](https://javadoc.io/badge2/org.spdx/tools-java/javadoc.svg)](https://javadoc.io/doc/org.spdx/tools-java) @@ -28,7 +27,7 @@ This utility supports versions 2.0, 2.1, 2.2, 2.3 and 3.0.1 of the SPDX specific ## Getting Starting -The SPDX Tools binaries can be downloaded from the [releases page](https://github.com/spdx/tools-java/releases) under the respective release. The package is also available in [Maven Central](https://search.maven.org/artifact/org.spdx/tools-java) (organization org.spdx, artifact tools-java). +The SPDX Tools binaries can be downloaded from the [releases page](https://github.com/spdx/tools-java/releases) under the respective release. The package is also available in [Maven Central](https://central.sonatype.com/artifact/org.spdx/tools-java) (organization `org.spdx`, artifact `tools-java`). See the Syntax section below for the commands available. From a5a2d5c75f09f6b1f06b1927998a86a9b63105d6 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Sun, 28 Sep 2025 03:47:33 +0100 Subject: [PATCH 08/61] Move jena-core back to 5.2.0 Signed-off-by: Arthit Suriyawongkul --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d5cba73..b642863 100644 --- a/pom.xml +++ b/pom.xml @@ -172,7 +172,7 @@ org.apache.jena jena-core - 5.5.0 + 5.4.0 compile From 43d6d4347ea96852aeea010a4f3df0968495c3f2 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Sat, 4 Oct 2025 13:50:17 -0700 Subject: [PATCH 09/61] Remove redundant dependencies These dependencies are included as transitive dependencies through other SPDX library modules. Removing these from the POM file to avoid possible version conflicts. This commit also includes a fix to a minor typo. --- pom.xml | 12 ------------ src/main/java/org/spdx/tools/SpdxToolsHelper.java | 2 +- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/pom.xml b/pom.xml index b642863..24483bf 100644 --- a/pom.xml +++ b/pom.xml @@ -163,18 +163,6 @@ 2.0.17 true - - org.apache.poi - poi - 5.4.1 - compile - - - org.apache.jena - jena-core - 5.4.0 - compile - diff --git a/src/main/java/org/spdx/tools/SpdxToolsHelper.java b/src/main/java/org/spdx/tools/SpdxToolsHelper.java index 4c37030..b7127d3 100644 --- a/src/main/java/org/spdx/tools/SpdxToolsHelper.java +++ b/src/main/java/org/spdx/tools/SpdxToolsHelper.java @@ -389,7 +389,7 @@ public static org.spdx.library.model.v3_0_1.core.SpdxDocument getDocFromStore(IS throw new InvalidSPDXAnalysisException("No SPDX version 3 documents in model store"); } if (docs.size() > 1) { - throw new InvalidSPDXAnalysisException("Multiple SPDX version 3 documents in modelSTore. There can only be one SPDX document."); + throw new InvalidSPDXAnalysisException("Multiple SPDX version 3 documents in modelStore. There can only be one SPDX document."); } return docs.get(0); } From e7071e18b5dfb43c817b4fd18bc338e0e0f97087 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Sun, 28 Sep 2025 21:24:22 +0100 Subject: [PATCH 10/61] Delete CONTRIBUTING.md from Spdx-Java-Library repo Remove CONTRIBUTING.md in src/ subdir, it is from `Spdx-Java-Library` repo. Update CONTRIBUTING.md in root to use `tools-java` name instead of `spdx-tools`. Signed-off-by: Arthit Suriyawongkul --- CONTRIBUTING.md | 4 +-- src/main/java/org/spdx/tools/CONTRIBUTING.md | 27 -------------------- 2 files changed, 2 insertions(+), 29 deletions(-) delete mode 100644 src/main/java/org/spdx/tools/CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c4a6f5f..096ae67 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -22,11 +22,11 @@ If you would like to work on a fix for any issue, please assign the issue to you Patches ------- -The source code for `spdx-tools` is hosted on [github.com/spdx/tools-java](https://github.com/spdx/tools-java). Please review [open pull requests](https://github.com/spdx/tools-java/pulls) and [active branches](https://github.com/spdx/tools-java/branches) before committing time to a substantial revision. Work along similar lines may already be in progress. +The source code for `tools-java` is hosted on [github.com/spdx/tools-java](https://github.com/spdx/tools-java). Please review [open pull requests](https://github.com/spdx/tools-java/pulls) and [active branches](https://github.com/spdx/tools-java/branches) before committing time to a substantial revision. Work along similar lines may already be in progress. To submit a patch via GitHub, fork the repository, create a topic branch from `master` for your work, and send a pull request when ready. If you would prefer to send a patch or grant access to pull from your own Git repository, please contact the project's contributors by e-mail. -To contribute an implementation of a feature defined by a version of the SPDX specification later than the one supported by the current SPDX Tools release, clone the branch `spec/X.X`, where X.X is the major.minor version of the targeted specification (e.g. "3.0"). +To contribute an implementation of a feature defined by a version of the SPDX specification later than the one supported by the current SPDX Tools release, clone the branch `spec/X.X`, where X.X is the major.minor version of the targeted specification (e.g. "3.1"). Once implemented, submit a pull request with `spec/X.X` branch as the parent branch. diff --git a/src/main/java/org/spdx/tools/CONTRIBUTING.md b/src/main/java/org/spdx/tools/CONTRIBUTING.md deleted file mode 100644 index a41d4ff..0000000 --- a/src/main/java/org/spdx/tools/CONTRIBUTING.md +++ /dev/null @@ -1,27 +0,0 @@ -Contributing -============ - -Thank you for your interest in `Spdx-Java-Library`. The project is open-source software, and bug reports, suggestions, and most especially patches are welcome. - -Issues ------- - -`Spdx-Java-Library` has a [project page on GitHub](https://github.com/spdx/Spdx-Java-Library) where you can [create an issue](https://github.com/spdx/Spdx-Java-Library/issues/new/choose) to report a bug, make a suggestion, or propose a substantial change or improvement that you might like to make. You may also wish to contact the SPDX working group technical team through its mailing list, [spdx-tech@lists.spdx.org](mailto:spdx-tech@lists.spdx.org). - -If you would like to work on a fix for any issue, please assign the issue to yourself prior to creating a Pull Request. - -Pull Requests -------- - -The source code for `Spdx-Java-Library` is hosted on [github.com/spdx/Spdx-Java-Library](https://github.com/spdx/Spdx-Java-Library). Please review [open pull requests](https://github.com/spdx/Spdx-Java-Library/pulls) and [active branches](https://github.com/spdx/Spdx-Java-Library/branches) before committing time to a substantial revision. Work along similar lines may already be in progress. - -To submit a pull request via GitHub, fork the repository, create a topic branch from `master` for your work, and send a pull request when ready. If you would prefer to send a patch or grant access to pull from your own Git repository, please contact the project's contributors by e-mail. - -To contribute an implementation of a feature defined by a version of the SPDX specification later than the one supported by the current SPDX Tools release, clone the branch `spec/X.X`, where X.X is the major.minor version of the targeted specification (e.g. "3.0"). - -Once implemented, submit a pull request with `spec/X.X` branch as the parent branch. - -Licensing ---------- - -However you choose to contribute, please sign-off in each of your commits that you license your contributions under the terms of [the Developer Certificate of Origin](https://developercertificate.org/). Git has utilities for signing off on commits: `git commit -s` signs a current commit, and `git rebase --signoff ` retroactively signs a range of past commits. From 9d127a9c94b6880b85603ccaf59b1ff27e37ab8f Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Sun, 28 Sep 2025 20:57:09 +0100 Subject: [PATCH 11/61] Add Javadoc build workflow Signed-off-by: Arthit Suriyawongkul --- .github/workflows/docs.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/docs.yml diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml new file mode 100644 index 0000000..ff52f75 --- /dev/null +++ b/.github/workflows/docs.yml @@ -0,0 +1,36 @@ +name: Generate and publish API JavaDocs + +on: + push: + branches: [ master ] + +jobs: + docs: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + + - name: Set up JDK + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 + with: + distribution: 'temurin' + java-version: 17 + + - name: Cache Maven packages + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + + - name: Generate docs + run: mvn javadoc:javadoc + + - name: Deploy docs + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + publish_dir: ./target/reports/apidocs From f0c497ddadac14e8f45af0caf91a7066c2e5228c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 28 Sep 2025 02:56:31 +0000 Subject: [PATCH 12/61] Bump org.apache.maven.plugins:maven-gpg-plugin from 1.6 to 3.2.8 Bumps [org.apache.maven.plugins:maven-gpg-plugin](https://github.com/apache/maven-gpg-plugin) from 1.6 to 3.2.8. - [Release notes](https://github.com/apache/maven-gpg-plugin/releases) - [Commits](https://github.com/apache/maven-gpg-plugin/compare/maven-gpg-plugin-1.6...maven-gpg-plugin-3.2.8) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-gpg-plugin dependency-version: 3.2.8 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 24483bf..b457d8a 100644 --- a/pom.xml +++ b/pom.xml @@ -81,7 +81,7 @@ org.apache.maven.plugins maven-gpg-plugin - 1.6 + 3.2.8 sign-artifacts From ab405e8ad2d5966f4527129308551f441852bdfb Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Mon, 6 Oct 2025 11:06:42 -0700 Subject: [PATCH 13/61] Switch publishing from Sonatype to Central --- pom.xml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/pom.xml b/pom.xml index b457d8a..ddbfbbc 100644 --- a/pom.xml +++ b/pom.xml @@ -43,13 +43,6 @@ Github Actions https://github.com/spdx/tools-java/actions - - - ossrh - spdx-spdx-tools - https://oss.sonatype.org/service/local/staging/deploy/maven2/ - - UTF-8 https://sonarcloud.io @@ -209,6 +202,15 @@ + + org.sonatype.central + central-publishing-maven-plugin + 0.7.0 + true + + central + + org.owasp dependency-check-maven From de71b804784e4671b9b47fa712ee8a4449ed2d9e Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Mon, 6 Oct 2025 11:27:50 -0700 Subject: [PATCH 14/61] Update JavaDocs config Fixes #229 Also updates the Verify.java file to remove JavaDoc warnings and a few other minor cleanups --- pom.xml | 10 +++------- src/main/java/org/spdx/tools/Verify.java | 11 ++++------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/pom.xml b/pom.xml index ddbfbbc..79fede0 100644 --- a/pom.xml +++ b/pom.xml @@ -253,19 +253,15 @@ org.apache.maven.plugins maven-javadoc-plugin - 2.10.4 + 3.11.3 true - 8 - ${env.JAVA_HOME}/bin/javadoc - -Xdoclint:none + true + all,-missing attach-javadocs - - ${javadoc.opts} - jar diff --git a/src/main/java/org/spdx/tools/Verify.java b/src/main/java/org/spdx/tools/Verify.java index 0942914..d4d050d 100644 --- a/src/main/java/org/spdx/tools/Verify.java +++ b/src/main/java/org/spdx/tools/Verify.java @@ -70,7 +70,7 @@ public static void main(String[] args) { System.exit(ERROR_STATUS); } if (args.length > MAX_ARGS) { - System.out.printf("Warning: Extra arguments will be ignored"); + System.out.println("Warning: Extra arguments will be ignored"); } SpdxToolsHelper.initialize(); List verify = null; @@ -104,20 +104,20 @@ public static void main(String[] args) { errors.add(verifyMsg); } } - if (errors.size() > 0) { + if (!errors.isEmpty()) { System.out.println("This SPDX Document is not valid due to:"); for (String errorMsg:errors) { System.out.print("\t" + errorMsg+"\n"); } } - if (warnings.size() > 0) { + if (!warnings.isEmpty()) { System.out.println("Warning: Deprecated license identifiers were found that should no longer be used.\n" + "References to the following deprecated license ID's should be updated:"); for (String warningMsg:warnings) { System.out.print("\t" + warningMsg+"\n"); } } - if (errors.size() == 0) { + if (errors.isEmpty()) { System.out.println("This SPDX Document is valid."); } else { System.exit(ERROR_STATUS); @@ -127,10 +127,7 @@ public static void main(String[] args) { /** * Verify a an SPDX file * @param filePath File path to the SPDX file to be verified - * @param fileType * @return A list of verification errors - if empty, the SPDX file is valid - * @throws InvalidFileNameException on invalid file name or file not found - * @throws IOException on IO error * @throws SpdxVerificationException where the SPDX file can not be parsed or the filename is invalid */ public static List verify(String filePath, SerFileType fileType) throws SpdxVerificationException { From 83fc970b9ad30865515255efb64b9081fae83084 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 16:16:15 +0000 Subject: [PATCH 15/61] Bump org.owasp:dependency-check-maven from 12.1.6 to 12.1.8 Bumps [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck) from 12.1.6 to 12.1.8. - [Release notes](https://github.com/dependency-check/DependencyCheck/releases) - [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md) - [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.6...v12.1.8) --- updated-dependencies: - dependency-name: org.owasp:dependency-check-maven dependency-version: 12.1.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 79fede0..863dacf 100644 --- a/pom.xml +++ b/pom.xml @@ -48,7 +48,7 @@ https://sonarcloud.io spdx tools-java - 12.1.6 + 12.1.8 11 -Xdoclint:none From 1b5ec335eea26482b5f78cbd0589ac800281752b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 16:21:20 +0000 Subject: [PATCH 16/61] Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 Bumps [org.apache.maven.plugins:maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.11.3 to 3.12.0. - [Release notes](https://github.com/apache/maven-javadoc-plugin/releases) - [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.11.3...maven-javadoc-plugin-3.12.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-javadoc-plugin dependency-version: 3.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 79fede0..a31cafc 100644 --- a/pom.xml +++ b/pom.xml @@ -253,7 +253,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 3.11.3 + 3.12.0 true true From 6fb32b711bbd2ac6a2950044b45e28a2b3651ff3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 16:21:13 +0000 Subject: [PATCH 17/61] Bump org.apache.maven.plugins:maven-enforcer-plugin from 3.6.1 to 3.6.2 Bumps [org.apache.maven.plugins:maven-enforcer-plugin](https://github.com/apache/maven-enforcer) from 3.6.1 to 3.6.2. - [Release notes](https://github.com/apache/maven-enforcer/releases) - [Commits](https://github.com/apache/maven-enforcer/compare/enforcer-3.6.1...enforcer-3.6.2) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-enforcer-plugin dependency-version: 3.6.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index e2ec9e6..ba34074 100644 --- a/pom.xml +++ b/pom.xml @@ -222,7 +222,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.6.1 + 3.6.2 enforce-java From b51b10dc5f1e9f46c3f78a43cc56fe6c0d2e5778 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 16:13:23 +0000 Subject: [PATCH 18/61] Bump org.apache.maven.plugins:maven-release-plugin from 3.0.1 to 3.1.1 Bumps [org.apache.maven.plugins:maven-release-plugin](https://github.com/apache/maven-release) from 3.0.1 to 3.1.1. - [Release notes](https://github.com/apache/maven-release/releases) - [Commits](https://github.com/apache/maven-release/compare/maven-release-3.0.1...maven-release-3.1.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-release-plugin dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ba34074..021f73c 100644 --- a/pom.xml +++ b/pom.xml @@ -354,7 +354,7 @@ org.apache.maven.plugins maven-release-plugin - 3.0.1 + 3.1.1 v@{project.version} release From 979c34cac6f45eace562e301ca0a901d5be0d012 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 16:15:28 +0000 Subject: [PATCH 19/61] Bump org.sonatype.central:central-publishing-maven-plugin Bumps [org.sonatype.central:central-publishing-maven-plugin](https://github.com/sonatype/central-publishing-maven-plugin) from 0.7.0 to 0.9.0. - [Commits](https://github.com/sonatype/central-publishing-maven-plugin/commits) --- updated-dependencies: - dependency-name: org.sonatype.central:central-publishing-maven-plugin dependency-version: 0.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 021f73c..1c72fba 100644 --- a/pom.xml +++ b/pom.xml @@ -205,7 +205,7 @@ org.sonatype.central central-publishing-maven-plugin - 0.7.0 + 0.9.0 true central From cd8332cab3ac40d47ee92603939c7544ec36e179 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 15 Oct 2025 10:38:18 -0700 Subject: [PATCH 20/61] Suppress false positives in dependency track report --- dependency-check-supress.xml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/dependency-check-supress.xml b/dependency-check-supress.xml index 442d77a..0eb63bd 100644 --- a/dependency-check-supress.xml +++ b/dependency-check-supress.xml @@ -1,4 +1,19 @@ - + + + ^pkg:maven/com\.ibm\.icu/icu4j@.*$ + CVE-2025-5222 + + + + ^pkg:maven/org\.spdx/spdx-java-model-2_X@.*$ + cpe:/a:x.org:x.org + \ No newline at end of file From cece6e2de1a4cbaf7259998107bff04f5243a3d8 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 15 Oct 2025 10:49:31 -0700 Subject: [PATCH 21/61] [maven-release-plugin] prepare release v2.0.2 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 1c72fba..59639da 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.spdx tools-java - 2.0.2-SNAPSHOT + 2.0.2 jar tools-java @@ -32,7 +32,7 @@ https://github.com/spdx/tools-java scm:git:git@github.com:spdx/tools-java.git scm:git:git@github.com:spdx/tools-java.git - master + v2.0.2 Github From c34ce2254bd39e35255ff956d0891669225b627b Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 15 Oct 2025 10:49:36 -0700 Subject: [PATCH 22/61] [maven-release-plugin] prepare for next development iteration --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 59639da..a47a2b1 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.spdx tools-java - 2.0.2 + 2.0.3-SNAPSHOT jar tools-java @@ -32,7 +32,7 @@ https://github.com/spdx/tools-java scm:git:git@github.com:spdx/tools-java.git scm:git:git@github.com:spdx/tools-java.git - v2.0.2 + master Github From 23bd470259f55641eb72b0c5d733edac014a4554 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Mon, 27 Oct 2025 11:50:14 -0700 Subject: [PATCH 23/61] Update README with current tools version --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 79dcb8e..2037d3b 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ If you are a developer, there are examples in the [examples folder](examples/org The command line interface of the SPDX Tools can be used like this: - java -jar tools-java-2.0.1-jar-with-dependencies.jar + java -jar tools-java-2.0.2-jar-with-dependencies.jar ## SPDX format converters From d6fc9a505f90b7ed4ab23e5e21453ccf40f2b39b Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Thu, 30 Oct 2025 15:26:00 -0700 Subject: [PATCH 24/61] Draft example Java file to generate a full SPDX V3 JSONLD file --- .../ExistingSpdxDocumentV2Compat.java | 4 +- .../org/spdx/examples/FullSpdxV3Example.java | 308 ++++++++++++++++++ tools-java.iml | 8 + 3 files changed, 318 insertions(+), 2 deletions(-) create mode 100644 examples/org/spdx/examples/FullSpdxV3Example.java create mode 100644 tools-java.iml diff --git a/examples/org/spdx/examples/ExistingSpdxDocumentV2Compat.java b/examples/org/spdx/examples/ExistingSpdxDocumentV2Compat.java index 584fdce..093dd7b 100644 --- a/examples/org/spdx/examples/ExistingSpdxDocumentV2Compat.java +++ b/examples/org/spdx/examples/ExistingSpdxDocumentV2Compat.java @@ -30,9 +30,9 @@ * for this example is assumed to be JSON (e.g. the output of the SimpleSpdxDocumentV2Compat example). * Different format can be used by using the associated store rather than the spdx-jackson store * (e.g. spdx-spreadsheet-store, spdx-tagvalue-store, or the spdx-rdf-store). - * + *

* This example depends on the Spdx-Java-Library and the spdx-java-jackson store libraries - * + *

* @author Gary O'Neall */ public class ExistingSpdxDocumentV2Compat { diff --git a/examples/org/spdx/examples/FullSpdxV3Example.java b/examples/org/spdx/examples/FullSpdxV3Example.java new file mode 100644 index 0000000..b2fd183 --- /dev/null +++ b/examples/org/spdx/examples/FullSpdxV3Example.java @@ -0,0 +1,308 @@ +package org.spdx.examples; + + +import org.spdx.core.DefaultModelStore; +import org.spdx.core.IModelCopyManager; +import org.spdx.core.InvalidSPDXAnalysisException; +import org.spdx.library.LicenseInfoFactory; +import org.spdx.library.ModelCopyManager; +import org.spdx.library.SpdxModelFactory; +import org.spdx.library.model.v2.SpdxConstantsCompatV2; +import org.spdx.library.model.v3_0_1.SpdxConstantsV3; +import org.spdx.library.model.v3_0_1.SpdxModelClassFactoryV3; +import org.spdx.library.model.v3_0_1.core.*; +import org.spdx.library.model.v3_0_1.simplelicensing.AnyLicenseInfo; +import org.spdx.library.model.v3_0_1.software.*; +import org.spdx.storage.IModelStore; +import org.spdx.storage.ISerializableModelStore; +import org.spdx.storage.simple.InMemSpdxStore; +import org.spdx.v3jsonldstore.JsonLDStore; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.OutputStream; +import java.time.LocalDateTime; +import java.time.format.DateTimeFormatter; +import java.util.ArrayList; + +/** + * This class attempts to implement all the SPDX specification classes and most of the properties. + *

+ * It will generate a resulting serialization that can be used as a full serialization example. + *

+ *

+ * This example is current as of the version 3.0.1 of the SPDX Specification + *

+ */ +public class FullSpdxV3Example { + + static final DateTimeFormatter SPDX_DATE_FORMATTER = DateTimeFormatter.ofPattern(SpdxConstantsCompatV2.SPDX_DATE_FORMAT); + /** + * @param args args[0] is the file path for the output serialized file + */ + public static void main(String[] args) throws Exception { + if (args.length != 1) { + usage(); + System.exit(1); + } + File outFile = new File(args[0]); + if (outFile.exists()) { + System.out.printf("%s already exists.\n", args[0]); + System.exit(1); + } + if (!outFile.createNewFile()) { + System.out.printf("Unable to create file %s\n", args[0]); + System.exit(1); + } + if (!outFile.canWrite()) { + System.out.printf("Can not write to file %s\n", args[0]); + System.exit(1); + } + SpdxModelFactory.init(); + IModelCopyManager copyManager = new ModelCopyManager(); + try (ISerializableModelStore modelStore = new JsonLDStore(new InMemSpdxStore())) { + String prefix = "https://spdx.github.io/spdx-spec/v3.0.1/examples/full-example-eaa46bdcfa20#"; + DefaultModelStore.initialize(modelStore, prefix, copyManager); + CreationInfo creationInfo = SpdxModelClassFactoryV3.createCreationInfo( + modelStore, prefix + "garyagent", "Gary O'Neall", + copyManager); + SpdxDocument doc = creationInfo.createSpdxDocument(prefix + "document") + .setDataLicense(LicenseInfoFactory.getListedLicenseById("CC0")) + .addNamespaceMap(creationInfo.createNamespaceMap(modelStore.getNextId(IModelStore.IdType.Anonymous)) + .setNamespace(prefix) + .setPrefix("example") + .build()) + .addProfileConformance(ProfileIdentifierType.CORE) + .addProfileConformance(ProfileIdentifierType.SOFTWARE) + .addProfileConformance(ProfileIdentifierType.BUILD) + .addProfileConformance(ProfileIdentifierType.AI) + .addProfileConformance(ProfileIdentifierType.DATASET) + .addProfileConformance(ProfileIdentifierType.SECURITY) + .addProfileConformance(ProfileIdentifierType.EXPANDED_LICENSING) + .build(); + addCoreClasses(prefix, doc); + Sbom sbom = addSoftwareClasses(prefix, doc); + try (OutputStream outStream = new FileOutputStream(outFile)) { + modelStore.serialize(outStream); + } + } + } + + private static void addCoreClasses(String prefix, SpdxDocument doc) throws InvalidSPDXAnalysisException { + // Agent - Abstract, already in creation info + // Annotation + doc.getElements().add(doc.createAnnotation(prefix + "docannotation") + .setStatement("This document is for example purposes only") + .setAnnotationType(AnnotationType.OTHER) + .setSubject(doc) + .build()); + // Artifact - Abstract - used in software package and several others + // Bom - will be used as an AI BOM and software BOM + // Bundle + doc.getElements().add(doc.createBundle(prefix + "bundle") + .setComment("This is just an example of a concrete Bundle class - the elements are not used elsewhere in the SPDX document") + .setContext("Custom Licenses") + .addElement(doc.createCustomLicense(prefix + "LicenseRef-CustomLicense1") + .setLicenseText("This is a custom license text number one.") + .build()) + .addElement(doc.createCustomLicense(prefix + "LicenseRef-CustomLicense2") + .setLicenseText("This is a custom license text number two.") + .build()) + .build()); + // CreationInfo - Already created + // DictionaryEntry - TODO: Change to make sure it has been created + // Element - Abstract + // ElementCollection - Abstract + // ExternalIdentifier - TODO: Change to make sure it has been created + // Organization + doc.getCreationInfo().getCreatedBys().add(doc.createOrganization(prefix + "spdxorg") + .setName("System Package Data Exchange (SPDX)") + .build()); + // ExternalMap + String orgLocation = "https://external/organization/spdxdata"; + String orgPrefix = orgLocation + "#"; + String orgUri = orgPrefix + "org"; + ExternalOrganization externalOrg = new ExternalOrganization(doc.getModelStore(), + orgUri, doc.getCopyManager(), + true, orgLocation); + doc.getCreationInfo().getCreatedBys().add(externalOrg); + doc.getSpdxImports().add(doc.createExternalMap(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) + .setExternalSpdxId(orgUri) + .setLocationHint(orgLocation) + .build()); + // Hash - Used in file + // IndividualElement - Used in software package originated by + // IntegrityMethod - Used in file and package + // LifecycleScopedRelationship - TODO: Change to make sure it has been created + // NamespaceMap - Used in doc already + // PackageVerificationCode - Going to ignore - deprecated + // Person - Used in creation info + // PositiveIntegerRange - TODO: Change to make sure it has been created + // Relationship - Used in software + // SoftwareAgent + doc.getCreationInfo().getCreatedBys().add(doc.createSoftwareAgent(prefix + "softwareagent") + .setName("SPDX Spec Github CI") + .build()); + // SpdxDocument - already used + // ExternalRef + // Tool + doc.getCreationInfo().getCreatedUsings().add(doc.createTool(prefix + "creationtool") + .setName("tools-java") + .setComment("Created by the FullSpdxV3Example.java utility in tools-java") + .addExternalRef(doc.createExternalRef(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) + .setExternalRefType(ExternalRefType.MAVEN_CENTRAL) + .addLocator("org.spdx:tools-java") + .build()) + .build()); + + } + + private static Sbom addSoftwareClasses(String prefix, SpdxDocument doc) throws InvalidSPDXAnalysisException { + // Sbom + Sbom sbom = doc.createSbom(prefix + "aibom") + .setName("AI SBOM") + .addSbomType(SbomType.ANALYZED) + .addProfileConformance(ProfileIdentifierType.CORE) + .addProfileConformance(ProfileIdentifierType.SOFTWARE) + .addProfileConformance(ProfileIdentifierType.BUILD) + .addProfileConformance(ProfileIdentifierType.SECURITY) + .addProfileConformance(ProfileIdentifierType.EXPANDED_LICENSING) + .build(); + doc.getElements().add(sbom); + doc.getRootElements().add(sbom); + // Package + SpdxPackage pkg = doc.createSpdxPackage(prefix + "tools-java") + .setName("tools-java") + .setPrimaryPurpose(SoftwarePurpose.APPLICATION) + .addAdditionalPurpose(SoftwarePurpose.LIBRARY) + .addAttributionText("Maintained by the SPDX Community") + .setBuiltTime(LocalDateTime.of(2025, 10, 15, 9, 10) + .format(SPDX_DATE_FORMATTER)) + // ContentIdentifier + .addContentIdentifier(doc.createContentIdentifier(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) + .setContentIdentifierType(ContentIdentifierType.GITOID) + .setContentIdentifierValue("23bd470259f55641eb72b0c5d733edac014a4554") + .build()) + .setCopyrightText("Copyright (c) Source Auditor Inc.") + .setDescription("A command-line utility for creating, converting, comparing, and validating SPDX documents across multiple formats.") + .setDownloadLocation("https://github.com/spdx/tools-java/releases/download/v2.0.2/tools-java-2.0.2.zip") + .addExternalIdentifier(doc.createExternalIdentifier(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) + .setExternalIdentifierType(ExternalIdentifierType.URL_SCHEME) + .setIdentifier("https://github.com/spdx/tools-java") + .setIssuingAuthority("GitHub") + .build()) + .addExternalRef(doc.createExternalRef(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) + .setExternalRefType(ExternalRefType.MAVEN_CENTRAL) + .addLocator("org.spdx:tools-java:jar:2.0.2") + .build()) + .setPackageUrl("pkg:maven/org.spdx/tools-java@2.0.2") + .setPackageVersion("2.0.2") + .setReleaseTime(LocalDateTime.of(2025, 10, 15, 11, 50) + .format(SPDX_DATE_FORMATTER)) + .setSourceInfo("This package came from the original source - the official SPDX GitHub repo and build process") + .addStandardName("SPDX Version 2.X and SPDX Version 3.0") + .setHomePage("https://github.com/spdx/tools-java") + .addOriginatedBy(new SpdxOrganization()) + .setSuppliedBy(new SpdxOrganization()) + .setSummary("A command-line utility for creating, converting, comparing, and validating SPDX documents across multiple formats.") + .addSupportLevel(SupportType.LIMITED_SUPPORT) + .setValidUntilTime(LocalDateTime.of(2027, 10, 15, 9, 10) + .format(SPDX_DATE_FORMATTER)) + .addVerifiedUsing(doc.createHash(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) + .setAlgorithm(HashAlgorithm.SHA256) + .setHashValue("c37ce759c3867780d55791a1804101d288fa921e77ed791e6c053fd5d7513d0d") + .build()) + .build(); + doc.getElements().add(pkg); + sbom.getElements().add(pkg); + sbom.getRootElements().add(pkg); + // File + SpdxFile sourceFile = doc.createSpdxFile(prefix + "example-source") + .setPrimaryPurpose(SoftwarePurpose.SOURCE) + .setContentType("text/plain") + .setCopyrightText("Copyright (c) 2025 Source Auditor Inc.") + .setFileKind(FileKindType.FILE) + .setName("./examples/org/spdx/examples/FullSpdxV3Example.java") + .build(); + sbom.getElements().add(sourceFile); + doc.getElements().add(sourceFile); + // Relationships - declared license, concluded license, generated from + doc.getElements().add(doc.createRelationship(prefix + "example-source-to-pkg") + .setRelationshipType(RelationshipType.GENERATES) + .setFrom(sourceFile) + .addTo(pkg) + .build()); + AnyLicenseInfo declared = LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0", + doc.getModelStore(), prefix, doc.getCopyManager(), new ArrayList<>()); + AnyLicenseInfo concluded = LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0", + doc.getModelStore(), prefix, doc.getCopyManager(), new ArrayList<>()); + doc.getElements().add(doc.createRelationship(prefix + "source-declared") + .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) + .setFrom(sourceFile) + .addTo(declared) + .build()); + doc.getElements().add(doc.createRelationship(prefix + "source-concluded") + .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) + .setFrom(sourceFile) + .addTo(concluded) + .build()); + doc.getElements().add(doc.createRelationship(prefix + "pkg-declared") + .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) + .setFrom(pkg) + .addTo(declared) + .build()); + doc.getElements().add(doc.createRelationship(prefix + "pkg-concluded") + .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) + .setFrom(pkg) + .addTo(concluded) + .build()); + // Snippet + Snippet snippet = doc.createSnippet(prefix + "snippet") + .addAttributionText("Example code created by Gary O'Neall") + .setDescription("Main method for the FullSpdxV3Example.java") + .setCopyrightText("Copyright (c) 2025 Source Auditor Inc.") + .setByteRange(doc.createPositiveIntegerRange(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) + .setBeginIntegerRange(43) + .setEndIntegerRange(89) + .build()) + .setLineRange(doc.createPositiveIntegerRange(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) + .setBeginIntegerRange(1548) + .setEndIntegerRange(3955) + .build()) + .setName("main(String[] args)") + .setSnippetFromFile(sourceFile) + .build(); + doc.getElements().add(snippet); + sbom.getElements().add(snippet); + doc.getElements().add(doc.createRelationship(prefix + "snippet-declared") + .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) + .setFrom(snippet) + .addTo(declared) + .build()); + doc.getElements().add(doc.createRelationship(prefix + "snippet-concluded") + .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) + .setFrom(snippet) + .addTo(concluded) + .build()); + // SoftwareArtifact - Abstract + return sbom; + } + + + private static void addAIandDataClasses(String prefix, SpdxDocument doc) throws InvalidSPDXAnalysisException { + Bom aiBom = doc.createBom(prefix + "aibom") + .setName("AI SBOM") + .addProfileConformance(ProfileIdentifierType.CORE) + .addProfileConformance(ProfileIdentifierType.SOFTWARE) + .addProfileConformance(ProfileIdentifierType.AI) + .addProfileConformance(ProfileIdentifierType.DATASET) + .build(); + doc.getElements().add(aiBom); + doc.getRootElements().add(aiBom); + } + + private static void usage() { + System.out.println("Generates an SPDX JSON-LD file containing all of the supported classes."); + System.out.println("Usage: FullSpdxV3Example outputfile"); + } +} diff --git a/tools-java.iml b/tools-java.iml new file mode 100644 index 0000000..ae72666 --- /dev/null +++ b/tools-java.iml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file From 6919563e8bf5f7c3090209d619febe688905cc53 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Sun, 2 Nov 2025 13:56:32 -0800 Subject: [PATCH 25/61] Complete SPDX V3 example generation The following classes are not included: Extension - due to validation issue ExploitCatalogVulnAssessmentRelationship - due to an inconsistency with the locator property between the Java generated code and the current JSON schema Signed-off-by: Gary O'Neall --- .../org/spdx/examples/FullSpdxV3Example.java | 982 ++++++++++++++---- .../spdx/examples/SpdxExtensionExample.java | 28 + src/main/java/org/spdx/tools/Verify.java | 6 +- 3 files changed, 790 insertions(+), 226 deletions(-) create mode 100644 examples/org/spdx/examples/SpdxExtensionExample.java diff --git a/examples/org/spdx/examples/FullSpdxV3Example.java b/examples/org/spdx/examples/FullSpdxV3Example.java index b2fd183..2a42eb6 100644 --- a/examples/org/spdx/examples/FullSpdxV3Example.java +++ b/examples/org/spdx/examples/FullSpdxV3Example.java @@ -1,6 +1,13 @@ package org.spdx.examples; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializationFeature; +import com.networknt.schema.JsonSchema; +import com.networknt.schema.JsonSchemaFactory; +import com.networknt.schema.SpecVersion; +import com.networknt.schema.ValidationMessage; import org.spdx.core.DefaultModelStore; import org.spdx.core.IModelCopyManager; import org.spdx.core.InvalidSPDXAnalysisException; @@ -8,22 +15,36 @@ import org.spdx.library.ModelCopyManager; import org.spdx.library.SpdxModelFactory; import org.spdx.library.model.v2.SpdxConstantsCompatV2; -import org.spdx.library.model.v3_0_1.SpdxConstantsV3; import org.spdx.library.model.v3_0_1.SpdxModelClassFactoryV3; +import org.spdx.library.model.v3_0_1.ai.AIPackage; +import org.spdx.library.model.v3_0_1.ai.EnergyUnitType; +import org.spdx.library.model.v3_0_1.ai.SafetyRiskAssessmentType; +import org.spdx.library.model.v3_0_1.build.Build; import org.spdx.library.model.v3_0_1.core.*; +import org.spdx.library.model.v3_0_1.dataset.ConfidentialityLevelType; +import org.spdx.library.model.v3_0_1.dataset.DatasetAvailabilityType; +import org.spdx.library.model.v3_0_1.dataset.DatasetPackage; +import org.spdx.library.model.v3_0_1.dataset.DatasetType; +import org.spdx.library.model.v3_0_1.expandedlicensing.ExtendableLicense; +import org.spdx.library.model.v3_0_1.extension.Extension; +import org.spdx.library.model.v3_0_1.security.*; import org.spdx.library.model.v3_0_1.simplelicensing.AnyLicenseInfo; +import org.spdx.library.model.v3_0_1.simplelicensing.SimpleLicensingText; import org.spdx.library.model.v3_0_1.software.*; import org.spdx.storage.IModelStore; -import org.spdx.storage.ISerializableModelStore; import org.spdx.storage.simple.InMemSpdxStore; +import org.spdx.tools.Verify; import org.spdx.v3jsonldstore.JsonLDStore; -import java.io.File; -import java.io.FileOutputStream; -import java.io.OutputStream; +import java.io.*; import java.time.LocalDateTime; import java.time.format.DateTimeFormatter; import java.util.ArrayList; +import java.util.List; +import java.util.Set; + +import static org.spdx.tools.Verify.JSON_SCHEMA_RESOURCE_V3; + /** * This class attempts to implement all the SPDX specification classes and most of the properties. @@ -37,6 +58,709 @@ public class FullSpdxV3Example { static final DateTimeFormatter SPDX_DATE_FORMATTER = DateTimeFormatter.ofPattern(SpdxConstantsCompatV2.SPDX_DATE_FORMAT); + static final ObjectMapper JSON_MAPPER = new ObjectMapper().enable(SerializationFeature.INDENT_OUTPUT); + + static class ExampleBuilder { + private String prefix = null; + private SpdxDocument doc = null; + private Sbom sBom = null; + private Bom aiBom = null; + private SpdxPackage pkg = null; + + public ExampleBuilder(String prefix, SpdxDocument doc) { + this.prefix = prefix; + this.doc = doc; + } + + void build() throws InvalidSPDXAnalysisException { + addCoreClasses(); + addSoftwareClasses(); + addAIandDataClasses(); + addSecurityClasses(); + addSimpleLicensingClasses(); + addExpandedLicensingClasses(); + addBuildClasses(); + addExtensionClasses(); + } + + private String getNextAnonId() throws InvalidSPDXAnalysisException { + return doc.getModelStore().getNextId(IModelStore.IdType.Anonymous); + } + + private void addExtensionClasses() throws InvalidSPDXAnalysisException { + // SpdxExtensionExample extension = new SpdxExtensionExample(doc.getModelStore(), prefix + "extension", doc.getCopyManager(), true, prefix); + // This currently causes a schema validation issue and depends on a fix in the v3JsonLD store + // extension.setExtensionProperty("Extension property value"); + // TODO: Add this back in after validation issues are addressed + Extension extension = doc.createCdxPropertiesExtension(prefix + "extension") + .addCdxProperty(doc.createCdxPropertyEntry(getNextAnonId()) + .setCdxPropName("cdxProperty") + .setCdxPropValue("value") + .build()) + .build(); + doc.getExtensions().add(extension); + } + + private void addBuildClasses() throws InvalidSPDXAnalysisException { + Build build = doc.createBuild(prefix + "build") + .setBuildType("https://github.com/spdx/tools-java/blob/master/pom.xml") + .setComment("Builds use the maven-release-plugin") + .setBuildStartTime(LocalDateTime.of(2025, 10, 15, 11, 42) + .format(SPDX_DATE_FORMATTER)) + .setBuildEndTime(LocalDateTime.of(2025, 10, 15, 11, 50) + .format(SPDX_DATE_FORMATTER)) + .addConfigSourceDigest(doc.createHash(getNextAnonId()) + .setAlgorithm(HashAlgorithm.SHA256) + .setHashValue("cc75cc9bfad1fb047f15fd60fe48806a9614c17bfee073e79e5ac3bd3e5d5271 ") + .build()) + .addConfigSourceEntrypoint("release") + .addConfigSourceUri("https://repo1.maven.org/maven2/org/spdx/tools-java/2.0.2/tools-java-2.0.2.pom") + .addEnvironment(doc.createDictionaryEntry(getNextAnonId()) + .setKey("OS") + .setValue("Windows11") + .build()) + .addParameter(doc.createDictionaryEntry(getNextAnonId()) + .setKey("Next Snapshot Version") + .setValue("2.0.3-SNAPSHOT") + .build()) + .build(); + + // hasInput relationship + SpdxFile pomFile = doc.createSpdxFile(prefix + "pomfile") + .setName("pom.xml") + .setFileKind(FileKindType.FILE) + .addVerifiedUsing(doc.createHash(getNextAnonId()) + .setAlgorithm(HashAlgorithm.SHA256) + .setHashValue("cc75cc9bfad1fb047f15fd60fe48806a9614c17bfee073e79e5ac3bd3e5d5271") + .build()) + .build(); + doc.getElements().add(pomFile); + sBom.getElements().add(pomFile); + SpdxFile srcDir = doc.createSpdxFile(prefix + "src") + .setName("src") + .setFileKind(FileKindType.DIRECTORY) + .build(); + doc.getElements().add(srcDir); + sBom.getElements().add(srcDir); + Relationship hasInput = doc.createLifecycleScopedRelationship(prefix + "hasinput") + .setRelationshipType(RelationshipType.HAS_INPUT) + .setCompleteness(RelationshipCompleteness.INCOMPLETE) + .setScope(LifecycleScopeType.BUILD) + .setFrom(build) + .addTo(srcDir) + .addTo(pomFile) + .build(); + doc.getElements().add(hasInput); + SpdxFile jarWithDependencies = doc.createSpdxFile(prefix + "jarwdeps") + .setName("tools-java-2.0.2-jar-with-dependencies.jar") + .setFileKind(FileKindType.FILE) + .addVerifiedUsing(doc.createHash(getNextAnonId()) + .setAlgorithm(HashAlgorithm.SHA256) + .setHashValue("3b326e4ea0e901d71a58627ca14c7d7ec36fc7bdb01308a78de99de2171c7904") + .build()) + .build(); + doc.getElements().add(jarWithDependencies); + Relationship hasOutput = doc.createRelationship(prefix + "hasoutput") + .setRelationshipType(RelationshipType.HAS_OUTPUT) + .setCompleteness(RelationshipCompleteness.INCOMPLETE) + .setFrom(build) + .addTo(jarWithDependencies) + .build(); + doc.getElements().add(hasOutput); + } + + private void addExpandedLicensingClasses() throws InvalidSPDXAnalysisException { + // ConjunctiveLicenseSet + AnyLicenseInfo complexLicense = doc.createConjunctiveLicenseSet(prefix + "complexlicense") + // CustomLicense + .addMember(doc.createCustomLicense(prefix + "LicenseRef-customlicense1") + .setLicenseText("This is the license text for my custom license") + .setName("Gary's Custom License") + .addSeeAlso("https://example.com") + .build()) + // OrLaterOperator + .addMember(doc.createOrLaterOperator(prefix + "complexorlater") + // ListedLicense + .setSubjectLicense(doc.createListedLicense("https://spdx.org/licenses/EPL-1.0") + .setName("Eclipse Public License 1.0") + .setLicenseText("Eclipse Public License - v 1.0\n\nTHE ACCOMPANYING PROGRAM IS PROVIDED" + + " UNDER THE TERMS OF THIS ECLIPSE PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION " + + "OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENTS ACCEPTANCE OF THIS AGREEMENT.\n\n1. " + + "DEFINITIONS\n\n\"Contribution\" means:\n a) in the case of the initial Contributor...") + .setIsFsfLibre(true) + .setComment("EPL replaced the CPL on 28 June 2005.") + .addSeeAlso("https://opensource.org/licenses/EPL-1.0") + .build()) + .build()) + // DisjunctiveLicenseSet + .addMember(doc.createDisjunctiveLicenseSet(prefix + "complexdisjunctive") + // WithAdditionOperator + .addMember(doc.createWithAdditionOperator(prefix + "complexwith") + .setSubjectExtendableLicense((ExtendableLicense) LicenseInfoFactory.parseSPDXLicenseString("GPL-2.0-or-later")) + // ListedLicenseException + .setSubjectAddition(doc.createListedLicenseException("http://spdx.org/licenses/Autoconf-exception-2.0") + .setName("Autoconf exception 2.0") + .setComment("Typically used with GPL-2.0-only or GPL-2.0-or-later") + .setAdditionText("As a special exception, the Free Software Foundation gives unlimited " + + "permission to copy, distribute and modify the ...") + .addSeeAlso("http://ftp.gnu.org/gnu/autoconf/autoconf-2.59.tar.gz") + .build()) + .build()) + .addMember(doc.createWithAdditionOperator(prefix + "complexwithcustomaddition") + .setSubjectExtendableLicense((ExtendableLicense) LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0")) + // CustomLicenseAddition + .setSubjectAddition(doc.createCustomLicenseAddition(prefix + "complexcustomaddition") + .setName("My License Addition") + .setAdditionText("Custom addition text - just for me") + .addSeeAlso("https://example.com") + .build()) + .build()) + // ExtendableLicense - Abstract + // IndividualLicensingInfo - used by listed license + // License - Abstract + .addMember(LicenseInfoFactory.parseSPDXLicenseString("MIT")) + .build()) + .build(); + doc.getElements().add(complexLicense); + } + + private void addSimpleLicensingClasses() throws InvalidSPDXAnalysisException { + // SimpleLicensingText + String simpleLicenseId = "LicenseRef-simpletext"; + String simpleAdditionId = "LicenseRef-simpleaddition"; + SimpleLicensingText slt = doc.createSimpleLicensingText(prefix + simpleLicenseId) + .setLicenseText("This is the license text to go with my license expression") + .build(); + doc.getElements().add(slt); + SimpleLicensingText simpleaddition = doc.createSimpleLicensingText(prefix + simpleAdditionId) + .setLicenseText("This is the custom addition text") + .build(); + doc.getElements().add(simpleaddition); + // LicenseExpression + doc.getElements().add(doc.createLicenseExpression(prefix + "licenseexpression") + .setLicenseExpression("Apache-2.0 AND " + simpleLicenseId + " WITH " + simpleAdditionId) + .addCustomIdToUri(doc.createDictionaryEntry(getNextAnonId()) + .setKey(simpleLicenseId) + .setValue(prefix + simpleLicenseId) + .build()) + .addCustomIdToUri(doc.createDictionaryEntry(getNextAnonId()) + .setKey(simpleAdditionId) + .setValue(prefix + simpleAdditionId) + .build()) + .build()); + // AnyLicenseInfo - Abstract + } + + private void addSecurityClasses() throws InvalidSPDXAnalysisException { + // First - let's add a dependeny with a known vulnerability + SpdxPackage log4j = doc.createSpdxPackage(prefix + "log4j") + .setName("Apache Log4j 2") + .setPackageVersion("2.14.1") + .setPackageUrl("pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1") + .addExternalIdentifier(doc.createExternalIdentifier(getNextAnonId()) + .setExternalIdentifierType(ExternalIdentifierType.CPE23) + .setIssuingAuthority("NVD") + .setIdentifier("cpe:2.3:a:apache:log4j:2.14.1:-:*:*:*:*:*:*") + .build()) + .build(); + doc.getElements().add(log4j); + sBom.getElements().add(log4j); + Relationship depRelationship = doc.createRelationship(prefix + "log4jdep") + .setFrom(pkg) + .addTo(log4j) + .setRelationshipType(RelationshipType.HAS_DYNAMIC_LINK) + .setCompleteness(RelationshipCompleteness.INCOMPLETE) + .build(); + doc.getElements().add(depRelationship); + sBom.getElements().add(depRelationship); + // Since we don't want the vulnerabilities to be in the more static SBOMs, let's create a different collection + Bundle securityBundle = doc.createBundle(prefix + "securitybundle") + .setContext("Security information related to "+sBom.getObjectUri()) + .build(); + // Vulnerability + Vulnerability vuln = doc.createVulnerability(prefix + "log4jvuln") + .setSummary("Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.") + .setDescription("Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not " + + "protect from uncontrolled recursion from self-referential lookups. This allows an attacker " + + "with control over ...") + .setPublishedTime(LocalDateTime.of(2021, 12, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .addExternalIdentifier(doc.createExternalIdentifier(getNextAnonId()) + .setExternalIdentifierType(ExternalIdentifierType.CVE) + .setIdentifier("CVE-2021-45105") + .addIdentifierLocator("https://www.cve.org/CVERecord?id=CVE-2021-45105") + .build()) + .addExternalRef(doc.createExternalRef(getNextAnonId()) + .setExternalRefType(ExternalRefType.SECURITY_ADVISORY) + .addLocator("https://nvd.nist.gov/vuln/detail/CVE-2021-45105") + .build()) + .build(); + doc.getElements().add(vuln); + securityBundle.getElements().add(vuln); + Relationship log4jVulnRel = doc.createRelationship(prefix + "log4jvulnrelationship") + .setRelationshipType(RelationshipType.HAS_ASSOCIATED_VULNERABILITY) + .setCompleteness(RelationshipCompleteness.INCOMPLETE) + .setFrom(log4j) + .addTo(vuln) + .build(); + doc.getElements().add(log4jVulnRel); + securityBundle.getElements().add(log4jVulnRel); + Relationship pkgVulnRel = doc.createRelationship(prefix + "pkgvulnrelationship") + .setRelationshipType(RelationshipType.HAS_ASSOCIATED_VULNERABILITY) + .setCompleteness(RelationshipCompleteness.INCOMPLETE) + .setFrom(pkg) + .addTo(vuln) + .build(); + doc.getElements().add(pkgVulnRel); + securityBundle.getElements().add(pkgVulnRel); + // CvssV2VulnAssessmentRelationship + Agent supplierAgent = doc.createAgent(prefix + "assessmentagent") + .setName("Supplier of Assessments") + .setComment("This would be the supplier of the vulnerability assessments") + .build(); + CvssV2VulnAssessmentRelationship cvssV2 = doc.createCvssV2VulnAssessmentRelationship(prefix + "cvssv2vuln") + .setRelationshipType(RelationshipType.HAS_ASSESSMENT_FOR) + .setFrom(vuln) + .addTo(log4j) + .setScore(5.0) + .setVectorString("(AV:N/AC:M/Au:N/C:P/I:N/A:N)") + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(cvssV2); + securityBundle.getElements().add(cvssV2); + // CvssV3VulnAssessmentRelationship + CvssV3VulnAssessmentRelationship cvssV3 = doc.createCvssV3VulnAssessmentRelationship(prefix + "cvssv3vuln") + .setRelationshipType(RelationshipType.HAS_ASSESSMENT_FOR) + .setFrom(vuln) + .addTo(log4j) + .setScore(5.0) + .setSeverity(CvssSeverityType.CRITICAL) + .setVectorString("CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H") + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(cvssV3); + securityBundle.getElements().add(cvssV3); + // CvssV4VulnAssessmentRelationship + CvssV4VulnAssessmentRelationship cvssV4 = doc.createCvssV4VulnAssessmentRelationship(prefix + "cvssv4vuln") + .setRelationshipType(RelationshipType.HAS_ASSESSMENT_FOR) + .setFrom(vuln) + .addTo(log4j) + .setScore(5.0) + .setSeverity(CvssSeverityType.CRITICAL) + .setVectorString("(AV:N/AC:M/Au:N/C:P/I:N/A:N)") + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(cvssV4); + securityBundle.getElements().add(cvssV4); + // EpssVulnAssessmentRelationship + EpssVulnAssessmentRelationship epss = doc.createEpssVulnAssessmentRelationship(prefix + "epss") + .setRelationshipType(RelationshipType.HAS_ASSESSMENT_FOR) + .setFrom(vuln) + .addTo(log4j) + .setProbability(0.01) + .setPercentile(0.4) + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(epss); + securityBundle.getElements().add(epss); + // ExploitCatalogVulnAssessmentRelationship + //TODO: The schema has "locator" for the field while the generated Java code has "securityLocator" + //Need to regenerate the library then uncomment the example below +// ExploitCatalogVulnAssessmentRelationship excat = doc.createExploitCatalogVulnAssessmentRelationship(prefix + "exploitcat") +// .setRelationshipType(RelationshipType.HAS_ASSESSMENT_FOR) +// .setFrom(vuln) +// .addTo(log4j) +// .setCatalogType(ExploitCatalogType.KEV) +// .setSecurityLocator("https://www.cisa.gov/known-exploited-vulnerabilities-catalog") +// .setExploited(true) +// .setAssessedElement(log4j) +// .setSuppliedBy(supplierAgent) +// .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) +// .format(SPDX_DATE_FORMATTER)) +// .build(); +// doc.getElements().add(excat); +// securityBundle.getElements().add(excat); + + // SsvcVulnAssessmentRelationship + SsvcVulnAssessmentRelationship ssvs = doc.createSsvcVulnAssessmentRelationship(prefix + "ssvs") + .setRelationshipType(RelationshipType.HAS_ASSESSMENT_FOR) + .setFrom(vuln) + .addTo(log4j) + .setDecisionType(SsvcDecisionType.ACT) + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(ssvs); + securityBundle.getElements().add(ssvs); + // VexAffectedVulnAssessmentRelationship + VexAffectedVulnAssessmentRelationship vexAffected = doc.createVexAffectedVulnAssessmentRelationship(prefix + "vexaffected") + .setRelationshipType(RelationshipType.AFFECTS) + .setFrom(vuln) + .addTo(log4j) + .setActionStatement("Upgrade to version 2.20 or later") + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(vexAffected); + securityBundle.getElements().add(vexAffected); + // VexFixedVulnAssessmentRelationship + VexFixedVulnAssessmentRelationship vexFixed = doc.createVexFixedVulnAssessmentRelationship(prefix + "vexfixed") + .setRelationshipType(RelationshipType.AFFECTS) + .setFrom(vuln) + .addTo(pkg) + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(vexFixed); + securityBundle.getElements().add(vexFixed); + // VexNotAffectedVulnAssessmentRelationship + VexNotAffectedVulnAssessmentRelationship vexNotAffected = doc.createVexNotAffectedVulnAssessmentRelationship(prefix + "vexnotaffected") + .setRelationshipType(RelationshipType.AFFECTS) + .setFrom(vuln) + .addTo(pkg) + .setJustificationType(VexJustificationType.INLINE_MITIGATIONS_ALREADY_EXIST) + .setImpactStatement("No longer using this vulnerable part of this library.") + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(vexNotAffected); + securityBundle.getElements().add(vexNotAffected); + // VexUnderInvestigationVulnAssessmentRelationship + VexUnderInvestigationVulnAssessmentRelationship vexUnderInvestigation = doc.createVexUnderInvestigationVulnAssessmentRelationship(prefix + "vexunderinvestigation") + .setRelationshipType(RelationshipType.AFFECTS) + .setFrom(vuln) + .addTo(pkg) + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(vexUnderInvestigation); + securityBundle.getElements().add(vexUnderInvestigation); + // VexVulnAssessmentRelationship - Abstract + // VulnAssessmentRelationship - Abstract + } + + private void addCoreClasses() throws InvalidSPDXAnalysisException { + // Agent - Abstract, already in creation info + // Annotation + doc.getElements().add(doc.createAnnotation(prefix + "docannotation") + .setStatement("This document is for example purposes only") + .setAnnotationType(AnnotationType.OTHER) + .setSubject(doc) + .build()); + // Artifact - Abstract - used in software package and several others + // Bom - will be used as an AI BOM and software BOM + // Bundle + doc.getElements().add(doc.createBundle(prefix + "bundle") + .setComment("This is just an example of a concrete Bundle class - the elements are not used elsewhere in the SPDX document") + .setContext("Custom Licenses") + .addElement(doc.createCustomLicense(prefix + "LicenseRef-CustomLicense1") + .setLicenseText("This is a custom license text number one.") + .build()) + .addElement(doc.createCustomLicense(prefix + "LicenseRef-CustomLicense2") + .setLicenseText("This is a custom license text number two.") + .build()) + .build()); + // CreationInfo - Already created + // DictionaryEntry - Used in several places including SimpleLicensing + // Element - Abstract + // ElementCollection - Abstract + // ExternalIdentifier - Used in Security profile + // Organization + doc.getCreationInfo().getCreatedBys().add(doc.createOrganization(prefix + "spdxorg") + .setName("System Package Data Exchange (SPDX)") + .build()); + // ExternalMap + String orgLocation = "https://external/organization/spdxdata"; + String orgPrefix = orgLocation + "#"; + String orgUri = orgPrefix + "org"; + ExternalOrganization externalOrg = new ExternalOrganization(doc.getModelStore(), + orgUri, doc.getCopyManager(), + true, orgLocation); + doc.getCreationInfo().getCreatedBys().add(externalOrg); + doc.getSpdxImports().add(doc.createExternalMap(getNextAnonId()) + .setExternalSpdxId(orgUri) + .setLocationHint(orgLocation) + .build()); + // Hash - Used in file + // IndividualElement - Used in software package originated by + // IntegrityMethod - Used in file and package + // LifecycleScopedRelationship + // NamespaceMap - Used in doc already + // PackageVerificationCode - Going to ignore - deprecated + // Person - Used in creation info + // PositiveIntegerRange - Used in snippets + // Relationship - Used in software + // SoftwareAgent + doc.getCreationInfo().getCreatedBys().add(doc.createSoftwareAgent(prefix + "softwareagent") + .setName("SPDX Spec Github CI") + .build()); + // SpdxDocument - already used + // ExternalRef + // Tool + doc.getCreationInfo().getCreatedUsings().add(doc.createTool(prefix + "creationtool") + .setName("tools-java") + .setComment("Created by the FullSpdxV3Example.java utility in tools-java") + .addExternalRef(doc.createExternalRef(getNextAnonId()) + .setExternalRefType(ExternalRefType.MAVEN_CENTRAL) + .addLocator("org.spdx:tools-java") + .build()) + .build()); + + } + + private void addSoftwareClasses() throws InvalidSPDXAnalysisException { + // Sbom + sBom = doc.createSbom(prefix + "sbom") + .setName("AI SBOM") + .addSbomType(SbomType.ANALYZED) + .addProfileConformance(ProfileIdentifierType.CORE) + .addProfileConformance(ProfileIdentifierType.SOFTWARE) + .addProfileConformance(ProfileIdentifierType.BUILD) + .addProfileConformance(ProfileIdentifierType.SECURITY) + .addProfileConformance(ProfileIdentifierType.EXPANDED_LICENSING) + .build(); + doc.getElements().add(sBom); + doc.getRootElements().add(sBom); + // Package + pkg = doc.createSpdxPackage(prefix + "tools-java") + .setName("tools-java") + .setPrimaryPurpose(SoftwarePurpose.APPLICATION) + .addAdditionalPurpose(SoftwarePurpose.LIBRARY) + .addAttributionText("Maintained by the SPDX Community") + .setBuiltTime(LocalDateTime.of(2025, 10, 15, 9, 10) + .format(SPDX_DATE_FORMATTER)) + // ContentIdentifier + .addContentIdentifier(doc.createContentIdentifier(getNextAnonId()) + .setContentIdentifierType(ContentIdentifierType.GITOID) + .setContentIdentifierValue("23bd470259f55641eb72b0c5d733edac014a4554") + .build()) + .setCopyrightText("Copyright (c) Source Auditor Inc.") + .setDescription("A command-line utility for creating, converting, comparing, and validating SPDX documents across multiple formats.") + .setDownloadLocation("https://github.com/spdx/tools-java/releases/download/v2.0.2/tools-java-2.0.2.zip") + .addExternalIdentifier(doc.createExternalIdentifier(getNextAnonId()) + .setExternalIdentifierType(ExternalIdentifierType.URL_SCHEME) + .setIdentifier("https://github.com/spdx/tools-java") + .setIssuingAuthority("GitHub") + .build()) + .addExternalRef(doc.createExternalRef(getNextAnonId()) + .setExternalRefType(ExternalRefType.MAVEN_CENTRAL) + .addLocator("org.spdx:tools-java:jar:2.0.2") + .build()) + .setPackageUrl("pkg:maven/org.spdx/tools-java@2.0.2") + .setPackageVersion("2.0.2") + .setReleaseTime(LocalDateTime.of(2025, 10, 15, 11, 50) + .format(SPDX_DATE_FORMATTER)) + .setSourceInfo("This package came from the original source - the official SPDX GitHub repo and build process") + .addStandardName("SPDX Version 2.X and SPDX Version 3.0") + .setHomePage("https://github.com/spdx/tools-java") + .addOriginatedBy(new SpdxOrganization()) + .setSuppliedBy(new SpdxOrganization()) + .setSummary("A command-line utility for creating, converting, comparing, and validating SPDX documents across multiple formats.") + .addSupportLevel(SupportType.LIMITED_SUPPORT) + .setValidUntilTime(LocalDateTime.of(2027, 10, 15, 9, 10) + .format(SPDX_DATE_FORMATTER)) + .addVerifiedUsing(doc.createHash(getNextAnonId()) + .setAlgorithm(HashAlgorithm.SHA256) + .setHashValue("c37ce759c3867780d55791a1804101d288fa921e77ed791e6c053fd5d7513d0d") + .build()) + .build(); + doc.getElements().add(pkg); + sBom.getElements().add(pkg); + sBom.getRootElements().add(pkg); + // File + SpdxFile sourceFile = doc.createSpdxFile(prefix + "example-source") + .setPrimaryPurpose(SoftwarePurpose.SOURCE) + .setContentType("text/plain") + .setCopyrightText("Copyright (c) 2025 Source Auditor Inc.") + .setFileKind(FileKindType.FILE) + .setName("./examples/org/spdx/examples/FullSpdxV3Example.java") + .build(); + sBom.getElements().add(sourceFile); + doc.getElements().add(sourceFile); + // Relationships - declared license, concluded license, generated from + doc.getElements().add(doc.createRelationship(prefix + "example-source-to-pkg") + .setRelationshipType(RelationshipType.GENERATES) + .setFrom(sourceFile) + .addTo(pkg) + .setCompleteness(RelationshipCompleteness.INCOMPLETE) + .build()); + AnyLicenseInfo declared = LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0", + doc.getModelStore(), prefix, doc.getCopyManager(), new ArrayList<>()); + AnyLicenseInfo concluded = LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0", + doc.getModelStore(), prefix, doc.getCopyManager(), new ArrayList<>()); + doc.getElements().add(doc.createRelationship(prefix + "source-declared") + .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) + .setFrom(sourceFile) + .addTo(declared) + .setCompleteness(RelationshipCompleteness.NO_ASSERTION) + .build()); + doc.getElements().add(doc.createRelationship(prefix + "source-concluded") + .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) + .setFrom(sourceFile) + .addTo(concluded) + .setCompleteness(RelationshipCompleteness.COMPLETE) + .build()); + doc.getElements().add(doc.createRelationship(prefix + "pkg-declared") + .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) + .setFrom(pkg) + .addTo(declared) + .setCompleteness(RelationshipCompleteness.NO_ASSERTION) + .build()); + doc.getElements().add(doc.createRelationship(prefix + "pkg-concluded") + .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) + .setFrom(pkg) + .addTo(concluded) + .setCompleteness(RelationshipCompleteness.COMPLETE) + .build()); + // Snippet + Snippet snippet = doc.createSnippet(prefix + "snippet") + .addAttributionText("Example code created by Gary O'Neall") + .setDescription("Main method for the FullSpdxV3Example.java") + .setCopyrightText("Copyright (c) 2025 Source Auditor Inc.") + .setByteRange(doc.createPositiveIntegerRange(getNextAnonId()) + .setBeginIntegerRange(43) + .setEndIntegerRange(89) + .build()) + .setLineRange(doc.createPositiveIntegerRange(getNextAnonId()) + .setBeginIntegerRange(1548) + .setEndIntegerRange(3955) + .build()) + .setName("main(String[] args)") + .setSnippetFromFile(sourceFile) + .build(); + doc.getElements().add(snippet); + sBom.getElements().add(snippet); + doc.getElements().add(doc.createRelationship(prefix + "snippet-declared") + .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) + .setFrom(snippet) + .addTo(declared) + .setCompleteness(RelationshipCompleteness.COMPLETE) + .build()); + doc.getElements().add(doc.createRelationship(prefix + "snippet-concluded") + .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) + .setFrom(snippet) + .addTo(concluded) + .setCompleteness(RelationshipCompleteness.COMPLETE) + .build()); + // SoftwareArtifact - Abstract + } + + private void addAIandDataClasses() throws InvalidSPDXAnalysisException { + aiBom = doc.createBom(prefix + "aibom") + .setName("AI SBOM") + .addProfileConformance(ProfileIdentifierType.CORE) + .addProfileConformance(ProfileIdentifierType.SOFTWARE) + .addProfileConformance(ProfileIdentifierType.AI) + .addProfileConformance(ProfileIdentifierType.DATASET) + .build(); + doc.getElements().add(aiBom); + doc.getRootElements().add(aiBom); + // DatasetPackage + DatasetPackage dataset = doc.createDatasetPackage(prefix + "dataset") + .addAnonymizationMethodUsed("Perturbation") + .setConfidentialityLevel(ConfidentialityLevelType.GREEN) + .setDataCollectionProcess("WWW data under open licenses") + .setDataCollectionProcess("Crawler") + .addDataPreprocessing("Anonymization using perturbation of sensitive data") + .setDatasetAvailability(DatasetAvailabilityType.QUERY) + .setDatasetNoise("Includes data input by humans - subject to error") + .setDatasetSize(4000000) + .addDatasetType(DatasetType.TEXT) + .setDatasetUpdateMechanism("Automated crawler") + .setHasSensitivePersonalInformation(PresenceType.NO) + .setIntendedUse("LLM training") + .addKnownBias("Typical human bias representative from the global WWW") + .addSensor(doc.createDictionaryEntry(getNextAnonId()) + .setKey("crawler") + .setValue("webcrawler") + .build()) + .setBuiltTime(LocalDateTime.of(2025, 10, 15, 11, 50) + .format(SPDX_DATE_FORMATTER)) + .addOriginatedBy(doc.createOrganization(prefix + "dataorg") + .setName("Data Corp.") + .build()) + .setReleaseTime(LocalDateTime.of(2025, 10, 22, 8, 50) + .format(SPDX_DATE_FORMATTER)) + .setDownloadLocation("https://com.data-corp.data/mydata") + .setPrimaryPurpose(SoftwarePurpose.DATA) + .build(); + doc.getElements().add(dataset); + aiBom.getElements().add(dataset); + // AIPackage + AIPackage aiPackage = doc.createAIPackage(prefix + "aipackage") + .setAutonomyType(PresenceType.YES) + .addDomain("Automotive") + // EnergyConsumption + .setEnergyConsumption(doc.createEnergyConsumption(getNextAnonId()) + // EnergyConsumptionDescription + .addFinetuningEnergyConsumption(doc.createEnergyConsumptionDescription(getNextAnonId()) + .setEnergyQuantity(150.0) + .setEnergyUnit(EnergyUnitType.KILOWATT_HOUR) + .build()) + .addInferenceEnergyConsumption(doc.createEnergyConsumptionDescription(getNextAnonId()) + .setEnergyQuantity(0.7) + .setEnergyUnit(EnergyUnitType.KILOWATT_HOUR) + .build()) + .addTrainingEnergyConsumption(doc.createEnergyConsumptionDescription(getNextAnonId()) + .setEnergyQuantity(15000.3) + .setEnergyUnit(EnergyUnitType.KILOWATT_HOUR) + .build()) + .build()) + .addHyperparameter(doc.createDictionaryEntry(getNextAnonId()) + .setKey("Hidden layers") + .setValue("14") + .build()) + .setInformationAboutApplication("Used in self driving cars") + .setInformationAboutTraining("Trained from data collected from auto cameras, sensors and WWW") + .setLimitation("Limited by amount of situations encountered from autos used for training") + .addMetric(doc.createDictionaryEntry(getNextAnonId()) + .setKey("Operator Interventions") + .setValue("432") + .build()) + .addMetricDecisionThreshold(doc.createDictionaryEntry(getNextAnonId()) + .setKey("Operator Interventions") + .setValue("100") + .build()) + .addModelDataPreprocessing("1. data cleaning") + .addModelExplainability("Behaviors from the auto driving car when observed from a safety driver") + .setSafetyRiskAssessment(SafetyRiskAssessmentType.SERIOUS) + .addStandardCompliance("UL 4600") + .addTypeOfModel("LLM") + .setUseSensitivePersonalInformation(PresenceType.NO) + .build(); + doc.getElements().add(aiPackage); + aiBom.getElements().add(aiPackage); + Relationship usesData = doc.createRelationship(prefix + "usesdata") + .setRelationshipType(RelationshipType.TRAINED_ON) + .setFrom(dataset) + .addTo(aiPackage) + .setCompleteness(RelationshipCompleteness.INCOMPLETE) + .build(); + } + } + /** * @param args args[0] is the file path for the output serialized file */ @@ -60,9 +784,11 @@ public static void main(String[] args) throws Exception { } SpdxModelFactory.init(); IModelCopyManager copyManager = new ModelCopyManager(); - try (ISerializableModelStore modelStore = new JsonLDStore(new InMemSpdxStore())) { - String prefix = "https://spdx.github.io/spdx-spec/v3.0.1/examples/full-example-eaa46bdcfa20#"; - DefaultModelStore.initialize(modelStore, prefix, copyManager); + try (JsonLDStore modelStore = new JsonLDStore(new InMemSpdxStore())) { + modelStore.setUseExternalListedElements(true); + String defaultDocUri = "https://spdx.github.io/spdx-spec/v3.0.1/examples/full-example-eaa46bdcfa20"; + String prefix = defaultDocUri + "#"; + DefaultModelStore.initialize(modelStore, defaultDocUri, copyManager); CreationInfo creationInfo = SpdxModelClassFactoryV3.createCreationInfo( modelStore, prefix + "garyagent", "Gary O'Neall", copyManager); @@ -80,227 +806,37 @@ public static void main(String[] args) throws Exception { .addProfileConformance(ProfileIdentifierType.SECURITY) .addProfileConformance(ProfileIdentifierType.EXPANDED_LICENSING) .build(); - addCoreClasses(prefix, doc); - Sbom sbom = addSoftwareClasses(prefix, doc); + doc.setIdPrefix(prefix); + ExampleBuilder builder = new ExampleBuilder(prefix, doc); + builder.build(); + + List warnings = doc.verify(); try (OutputStream outStream = new FileOutputStream(outFile)) { modelStore.serialize(outStream); } + JsonSchemaFactory jsonSchemaFactory = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V202012); + JsonSchema schema; + try (InputStream is = Verify.class.getResourceAsStream("/" + JSON_SCHEMA_RESOURCE_V3)) { + schema = jsonSchemaFactory.getSchema(is); + } + JsonNode root; + try (InputStream is = new FileInputStream(outFile)) { + root = JSON_MAPPER.readTree(is); + } + Set messages = schema.validate(root); + for (ValidationMessage msg:messages) { + warnings.add(msg.toString()); + } + if (!warnings.isEmpty()) { + System.out.println("Generated document contains the following warnings:"); + for (String warning:warnings) { + System.out.print("\t"); + System.out.println(warning); + } + } } } - private static void addCoreClasses(String prefix, SpdxDocument doc) throws InvalidSPDXAnalysisException { - // Agent - Abstract, already in creation info - // Annotation - doc.getElements().add(doc.createAnnotation(prefix + "docannotation") - .setStatement("This document is for example purposes only") - .setAnnotationType(AnnotationType.OTHER) - .setSubject(doc) - .build()); - // Artifact - Abstract - used in software package and several others - // Bom - will be used as an AI BOM and software BOM - // Bundle - doc.getElements().add(doc.createBundle(prefix + "bundle") - .setComment("This is just an example of a concrete Bundle class - the elements are not used elsewhere in the SPDX document") - .setContext("Custom Licenses") - .addElement(doc.createCustomLicense(prefix + "LicenseRef-CustomLicense1") - .setLicenseText("This is a custom license text number one.") - .build()) - .addElement(doc.createCustomLicense(prefix + "LicenseRef-CustomLicense2") - .setLicenseText("This is a custom license text number two.") - .build()) - .build()); - // CreationInfo - Already created - // DictionaryEntry - TODO: Change to make sure it has been created - // Element - Abstract - // ElementCollection - Abstract - // ExternalIdentifier - TODO: Change to make sure it has been created - // Organization - doc.getCreationInfo().getCreatedBys().add(doc.createOrganization(prefix + "spdxorg") - .setName("System Package Data Exchange (SPDX)") - .build()); - // ExternalMap - String orgLocation = "https://external/organization/spdxdata"; - String orgPrefix = orgLocation + "#"; - String orgUri = orgPrefix + "org"; - ExternalOrganization externalOrg = new ExternalOrganization(doc.getModelStore(), - orgUri, doc.getCopyManager(), - true, orgLocation); - doc.getCreationInfo().getCreatedBys().add(externalOrg); - doc.getSpdxImports().add(doc.createExternalMap(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) - .setExternalSpdxId(orgUri) - .setLocationHint(orgLocation) - .build()); - // Hash - Used in file - // IndividualElement - Used in software package originated by - // IntegrityMethod - Used in file and package - // LifecycleScopedRelationship - TODO: Change to make sure it has been created - // NamespaceMap - Used in doc already - // PackageVerificationCode - Going to ignore - deprecated - // Person - Used in creation info - // PositiveIntegerRange - TODO: Change to make sure it has been created - // Relationship - Used in software - // SoftwareAgent - doc.getCreationInfo().getCreatedBys().add(doc.createSoftwareAgent(prefix + "softwareagent") - .setName("SPDX Spec Github CI") - .build()); - // SpdxDocument - already used - // ExternalRef - // Tool - doc.getCreationInfo().getCreatedUsings().add(doc.createTool(prefix + "creationtool") - .setName("tools-java") - .setComment("Created by the FullSpdxV3Example.java utility in tools-java") - .addExternalRef(doc.createExternalRef(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) - .setExternalRefType(ExternalRefType.MAVEN_CENTRAL) - .addLocator("org.spdx:tools-java") - .build()) - .build()); - - } - - private static Sbom addSoftwareClasses(String prefix, SpdxDocument doc) throws InvalidSPDXAnalysisException { - // Sbom - Sbom sbom = doc.createSbom(prefix + "aibom") - .setName("AI SBOM") - .addSbomType(SbomType.ANALYZED) - .addProfileConformance(ProfileIdentifierType.CORE) - .addProfileConformance(ProfileIdentifierType.SOFTWARE) - .addProfileConformance(ProfileIdentifierType.BUILD) - .addProfileConformance(ProfileIdentifierType.SECURITY) - .addProfileConformance(ProfileIdentifierType.EXPANDED_LICENSING) - .build(); - doc.getElements().add(sbom); - doc.getRootElements().add(sbom); - // Package - SpdxPackage pkg = doc.createSpdxPackage(prefix + "tools-java") - .setName("tools-java") - .setPrimaryPurpose(SoftwarePurpose.APPLICATION) - .addAdditionalPurpose(SoftwarePurpose.LIBRARY) - .addAttributionText("Maintained by the SPDX Community") - .setBuiltTime(LocalDateTime.of(2025, 10, 15, 9, 10) - .format(SPDX_DATE_FORMATTER)) - // ContentIdentifier - .addContentIdentifier(doc.createContentIdentifier(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) - .setContentIdentifierType(ContentIdentifierType.GITOID) - .setContentIdentifierValue("23bd470259f55641eb72b0c5d733edac014a4554") - .build()) - .setCopyrightText("Copyright (c) Source Auditor Inc.") - .setDescription("A command-line utility for creating, converting, comparing, and validating SPDX documents across multiple formats.") - .setDownloadLocation("https://github.com/spdx/tools-java/releases/download/v2.0.2/tools-java-2.0.2.zip") - .addExternalIdentifier(doc.createExternalIdentifier(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) - .setExternalIdentifierType(ExternalIdentifierType.URL_SCHEME) - .setIdentifier("https://github.com/spdx/tools-java") - .setIssuingAuthority("GitHub") - .build()) - .addExternalRef(doc.createExternalRef(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) - .setExternalRefType(ExternalRefType.MAVEN_CENTRAL) - .addLocator("org.spdx:tools-java:jar:2.0.2") - .build()) - .setPackageUrl("pkg:maven/org.spdx/tools-java@2.0.2") - .setPackageVersion("2.0.2") - .setReleaseTime(LocalDateTime.of(2025, 10, 15, 11, 50) - .format(SPDX_DATE_FORMATTER)) - .setSourceInfo("This package came from the original source - the official SPDX GitHub repo and build process") - .addStandardName("SPDX Version 2.X and SPDX Version 3.0") - .setHomePage("https://github.com/spdx/tools-java") - .addOriginatedBy(new SpdxOrganization()) - .setSuppliedBy(new SpdxOrganization()) - .setSummary("A command-line utility for creating, converting, comparing, and validating SPDX documents across multiple formats.") - .addSupportLevel(SupportType.LIMITED_SUPPORT) - .setValidUntilTime(LocalDateTime.of(2027, 10, 15, 9, 10) - .format(SPDX_DATE_FORMATTER)) - .addVerifiedUsing(doc.createHash(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) - .setAlgorithm(HashAlgorithm.SHA256) - .setHashValue("c37ce759c3867780d55791a1804101d288fa921e77ed791e6c053fd5d7513d0d") - .build()) - .build(); - doc.getElements().add(pkg); - sbom.getElements().add(pkg); - sbom.getRootElements().add(pkg); - // File - SpdxFile sourceFile = doc.createSpdxFile(prefix + "example-source") - .setPrimaryPurpose(SoftwarePurpose.SOURCE) - .setContentType("text/plain") - .setCopyrightText("Copyright (c) 2025 Source Auditor Inc.") - .setFileKind(FileKindType.FILE) - .setName("./examples/org/spdx/examples/FullSpdxV3Example.java") - .build(); - sbom.getElements().add(sourceFile); - doc.getElements().add(sourceFile); - // Relationships - declared license, concluded license, generated from - doc.getElements().add(doc.createRelationship(prefix + "example-source-to-pkg") - .setRelationshipType(RelationshipType.GENERATES) - .setFrom(sourceFile) - .addTo(pkg) - .build()); - AnyLicenseInfo declared = LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0", - doc.getModelStore(), prefix, doc.getCopyManager(), new ArrayList<>()); - AnyLicenseInfo concluded = LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0", - doc.getModelStore(), prefix, doc.getCopyManager(), new ArrayList<>()); - doc.getElements().add(doc.createRelationship(prefix + "source-declared") - .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) - .setFrom(sourceFile) - .addTo(declared) - .build()); - doc.getElements().add(doc.createRelationship(prefix + "source-concluded") - .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) - .setFrom(sourceFile) - .addTo(concluded) - .build()); - doc.getElements().add(doc.createRelationship(prefix + "pkg-declared") - .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) - .setFrom(pkg) - .addTo(declared) - .build()); - doc.getElements().add(doc.createRelationship(prefix + "pkg-concluded") - .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) - .setFrom(pkg) - .addTo(concluded) - .build()); - // Snippet - Snippet snippet = doc.createSnippet(prefix + "snippet") - .addAttributionText("Example code created by Gary O'Neall") - .setDescription("Main method for the FullSpdxV3Example.java") - .setCopyrightText("Copyright (c) 2025 Source Auditor Inc.") - .setByteRange(doc.createPositiveIntegerRange(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) - .setBeginIntegerRange(43) - .setEndIntegerRange(89) - .build()) - .setLineRange(doc.createPositiveIntegerRange(doc.getModelStore().getNextId(IModelStore.IdType.Anonymous)) - .setBeginIntegerRange(1548) - .setEndIntegerRange(3955) - .build()) - .setName("main(String[] args)") - .setSnippetFromFile(sourceFile) - .build(); - doc.getElements().add(snippet); - sbom.getElements().add(snippet); - doc.getElements().add(doc.createRelationship(prefix + "snippet-declared") - .setRelationshipType(RelationshipType.HAS_DECLARED_LICENSE) - .setFrom(snippet) - .addTo(declared) - .build()); - doc.getElements().add(doc.createRelationship(prefix + "snippet-concluded") - .setRelationshipType(RelationshipType.HAS_CONCLUDED_LICENSE) - .setFrom(snippet) - .addTo(concluded) - .build()); - // SoftwareArtifact - Abstract - return sbom; - } - - - private static void addAIandDataClasses(String prefix, SpdxDocument doc) throws InvalidSPDXAnalysisException { - Bom aiBom = doc.createBom(prefix + "aibom") - .setName("AI SBOM") - .addProfileConformance(ProfileIdentifierType.CORE) - .addProfileConformance(ProfileIdentifierType.SOFTWARE) - .addProfileConformance(ProfileIdentifierType.AI) - .addProfileConformance(ProfileIdentifierType.DATASET) - .build(); - doc.getElements().add(aiBom); - doc.getRootElements().add(aiBom); - } - private static void usage() { System.out.println("Generates an SPDX JSON-LD file containing all of the supported classes."); System.out.println("Usage: FullSpdxV3Example outputfile"); diff --git a/examples/org/spdx/examples/SpdxExtensionExample.java b/examples/org/spdx/examples/SpdxExtensionExample.java new file mode 100644 index 0000000..135a80e --- /dev/null +++ b/examples/org/spdx/examples/SpdxExtensionExample.java @@ -0,0 +1,28 @@ +package org.spdx.examples; + +import org.spdx.core.IModelCopyManager; +import org.spdx.core.InvalidSPDXAnalysisException; +import org.spdx.library.model.v3_0_1.extension.Extension; +import org.spdx.storage.IModelStore; +import org.spdx.storage.PropertyDescriptor; + +import javax.annotation.Nullable; +import java.util.Optional; + +public class SpdxExtensionExample extends Extension { + + static final PropertyDescriptor EXTENSION_PROPERTY_DESCRIPTOR = new PropertyDescriptor("extensionProp", "https://my/extension/namespace/"); + + public SpdxExtensionExample(IModelStore modelStore, String objectUri, @Nullable IModelCopyManager copyManager, boolean create, String idPrefix) throws InvalidSPDXAnalysisException { + super(modelStore, objectUri, copyManager, create, idPrefix); + } + + public SpdxExtensionExample setExtensionProperty(String value) throws InvalidSPDXAnalysisException { + setPropertyValue(EXTENSION_PROPERTY_DESCRIPTOR, value); + return this; + } + + public Optional getExtensionProperty() throws InvalidSPDXAnalysisException { + return getStringPropertyValue(EXTENSION_PROPERTY_DESCRIPTOR); + } +} diff --git a/src/main/java/org/spdx/tools/Verify.java b/src/main/java/org/spdx/tools/Verify.java index d4d050d..10a91ca 100644 --- a/src/main/java/org/spdx/tools/Verify.java +++ b/src/main/java/org/spdx/tools/Verify.java @@ -54,9 +54,9 @@ public class Verify { static final int MIN_ARGS = 1; static final int MAX_ARGS = 2; static final int ERROR_STATUS = 1; - private static final String JSON_SCHEMA_RESOURCE_V2_3 = "resources/spdx-schema-v2.3.json"; - private static final String JSON_SCHEMA_RESOURCE_V2_2 = "resources/spdx-schema-v2.2.json"; - private static final String JSON_SCHEMA_RESOURCE_V3 = "resources/spdx-schema-v3.0.1.json"; + public static final String JSON_SCHEMA_RESOURCE_V2_3 = "resources/spdx-schema-v2.3.json"; + public static final String JSON_SCHEMA_RESOURCE_V2_2 = "resources/spdx-schema-v2.2.json"; + public static final String JSON_SCHEMA_RESOURCE_V3 = "resources/spdx-schema-v3.0.1.json"; static final ObjectMapper JSON_MAPPER = new ObjectMapper().enable(SerializationFeature.INDENT_OUTPUT); From 5d1ce1f12e5481bd4d28749cdfa14f102dae59f0 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Mon, 27 Oct 2025 12:13:13 -0700 Subject: [PATCH 26/61] Update com.networknt:json-schema-validator from 1.5.9 to 2.0.0 Includes updates for breaking changes to the API --- pom.xml | 2 +- src/main/java/org/spdx/tools/Verify.java | 19 ++++++++++--------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/pom.xml b/pom.xml index a47a2b1..7c55138 100644 --- a/pom.xml +++ b/pom.xml @@ -148,7 +148,7 @@ com.networknt json-schema-validator - 1.5.9 + 2.0.0 org.slf4j diff --git a/src/main/java/org/spdx/tools/Verify.java b/src/main/java/org/spdx/tools/Verify.java index 10a91ca..b19d119 100644 --- a/src/main/java/org/spdx/tools/Verify.java +++ b/src/main/java/org/spdx/tools/Verify.java @@ -40,10 +40,10 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.SerializationFeature; -import com.networknt.schema.JsonSchema; -import com.networknt.schema.JsonSchemaFactory; -import com.networknt.schema.SpecVersion.VersionFlag; -import com.networknt.schema.ValidationMessage; +import com.networknt.schema.Schema; +import com.networknt.schema.SchemaRegistry; +import com.networknt.schema.SpecificationVersion; +import com.networknt.schema.Error; /** * Verifies an SPDX document and lists any verification errors @@ -172,17 +172,18 @@ public static List verify(String filePath, SerFileType fileType) throws } else { jsonSchemaResource = JSON_SCHEMA_RESOURCE_V3; } - JsonSchemaFactory jsonSchemaFactory = JsonSchemaFactory.getInstance(VersionFlag.V202012); - JsonSchema schema; + SchemaRegistry schemaRegistry = + SchemaRegistry.withDefaultDialect(SpecificationVersion.DRAFT_2020_12); + Schema schema; try (InputStream is = Verify.class.getResourceAsStream("/" + jsonSchemaResource)) { - schema = jsonSchemaFactory.getSchema(is); + schema = schemaRegistry.getSchema(is); } JsonNode root; try (InputStream is = new FileInputStream(file)) { root = JSON_MAPPER.readTree(is); } - Set messages = schema.validate(root); - for (ValidationMessage msg:messages) { + List messages = schema.validate(root); + for (Error msg:messages) { retval.add(msg.toString()); } } catch (IOException e) { From 63ebf7d7e8e6d447de6c1defb6a4ef57aedf9f97 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Sun, 2 Nov 2025 23:34:26 +0000 Subject: [PATCH 27/61] README: Update link of SPDX Online Tools - Updated label of link to SPDX Online Tools - Updated SPDX Tools version references from 2.0.1 to 2.0.2 in examples Signed-off-by: Arthit Suriyawongkul --- README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 2037d3b..e1258bf 100644 --- a/README.md +++ b/README.md @@ -54,18 +54,18 @@ The following converter tools support SPDX format: Example to convert a SPDX file from Tag to RDF format: - java -jar tools-java-2.0.1-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.rdf + java -jar tools-java-2.0.2-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.rdf The file formats can optionally be provided as the 3rd and 4th parameter for the input and output formats respectively. An optional 5th option `excludeLicenseDetails` will not copy the listed license properties to the output file. The following example will copy a JSON format to an RDF Turtle format without including the listed license properties: - java -jar tools-java-2.0.1-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.ttl TAG RDFTTL excludeLicenseDetails + java -jar tools-java-2.0.2-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.ttl TAG RDFTTL excludeLicenseDetails To convert from SPDX 2 to SPDX 3.0.1: * use the file extension `.jsonld.json` or `.jsonld`; * or add the options for the from and to file types: - java -jar tools-java-2.0.1-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD + java -jar tools-java-2.0.2-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD ## Compare utilities @@ -75,13 +75,13 @@ The following tools can be used to compare one or more SPDX documents: Example to compare multiple SPDX files provided in RDF format and provide a spreadsheet with the results: - java -jar tools-java-2.0.1-jar-with-dependencies.jar CompareDocs output.xlsx doc1 doc2 ... docN + java -jar tools-java-2.0.2-jar-with-dependencies.jar CompareDocs output.xlsx doc1 doc2 ... docN * CompareMultipleSpdxDocs with directory Example to compare all SPDX documents in a directory "/home/me/spdxdocs" and provide a spreadsheet with the results: - java -jar tools-java-2.0.1-jar-with-dependencies.jar CompareDocs output.xlsx /home/me/spdxdocs + java -jar tools-java-2.0.2-jar-with-dependencies.jar CompareDocs output.xlsx /home/me/spdxdocs ## SPDX Viewer @@ -91,7 +91,7 @@ The following tool can be used to "Pretty Print" an SPDX document. Sample usage: - java -jar tools-java-2.0.1-jar-with-dependencies.jar SPDXViewer ../testResources/SPDXRdfExample-v2.2.spdx.rdf + java -jar tools-java-2.0.2-jar-with-dependencies.jar SPDXViewer ../testResources/SPDXRdfExample-v2.2.spdx.rdf ## Verifier @@ -101,7 +101,7 @@ The following tool can be used to verify an SPDX document: Sample usage: - java -jar tools-java-2.0.1-jar-with-dependencies.jar Verify ../testResources/SPDXRdfExample-v2.2.spdx.rdf + java -jar tools-java-2.0.2-jar-with-dependencies.jar Verify ../testResources/SPDXRdfExample-v2.2.spdx.rdf ## Generators @@ -111,11 +111,13 @@ The following tool can be used to generate an SPDX verification code from a dire Sample usage: - java -jar tools-java-2.0.1-jar-with-dependencies.jar GenerateVerificationCode sourceDirectory [ignoredFilesRegex] + java -jar tools-java-2.0.2-jar-with-dependencies.jar GenerateVerificationCode sourceDirectory [ignoredFilesRegex] ## SPDX Validation Tool -The SPDX Workgroup provides an online interface to validate, compare, and convert SPDX documents in addition to the command line options above. The [SPDX Validation Tool](https://tools.spdx.org/app/validate/) is an all-in-one portal to upload and parse SPDX documents for validation, comparison and conversion and search the SPDX license list. +The SPDX Workgroup provides an online interface to validate, compare, and convert SPDX documents in addition to the command line options above. + +The [SPDX Online Tools](https://tools.spdx.org/) is an all-in-one portal to upload and parse SPDX documents for validation, comparison and conversion and search the SPDX license list. ## License From 5be9011b2245d0eae332129f5487e30e2ef53841 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Nov 2025 16:22:45 +0000 Subject: [PATCH 28/61] Bump org.apache.ws.xmlschema:xmlschema-core from 2.3.1 to 2.3.2 Bumps org.apache.ws.xmlschema:xmlschema-core from 2.3.1 to 2.3.2. --- updated-dependencies: - dependency-name: org.apache.ws.xmlschema:xmlschema-core dependency-version: 2.3.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7c55138..be74737 100644 --- a/pom.xml +++ b/pom.xml @@ -107,7 +107,7 @@ org.apache.ws.xmlschema xmlschema-core - 2.3.1 + 2.3.2 junit From 4633af2817fb088de7aba3b0393745b28e583dd3 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Mon, 3 Nov 2025 19:25:35 +0000 Subject: [PATCH 29/61] Fix deprecated isLicenseCommmentsEquals (3 m) -> isLicenseCommentsEquals (2 m) Signed-off-by: Arthit Suriyawongkul --- src/main/java/org/spdx/tools/Verify.java | 1 - src/main/java/org/spdx/tools/compare/PackageSheet.java | 2 +- src/main/java/org/spdx/tools/compare/SnippetSheet.java | 2 +- testResources/sourcefiles/PackageSheet.java | 2 +- testResources/sourcefiles/SnippetSheet.java | 2 +- 5 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/spdx/tools/Verify.java b/src/main/java/org/spdx/tools/Verify.java index b19d119..80b4f75 100644 --- a/src/main/java/org/spdx/tools/Verify.java +++ b/src/main/java/org/spdx/tools/Verify.java @@ -26,7 +26,6 @@ import java.util.ArrayList; import java.util.List; import java.util.Objects; -import java.util.Set; import com.fasterxml.jackson.core.JsonParseException; diff --git a/src/main/java/org/spdx/tools/compare/PackageSheet.java b/src/main/java/org/spdx/tools/compare/PackageSheet.java index 67a6159..f0c5c5e 100644 --- a/src/main/java/org/spdx/tools/compare/PackageSheet.java +++ b/src/main/java/org/spdx/tools/compare/PackageSheet.java @@ -296,7 +296,7 @@ private void addPackageToSheet(SpdxPackageComparer comparer, } Row licenseCommentRow = this.addRow(); licenseCommentRow.createCell(FIELD_COL).setCellValue(LICENSE_COMMENT_FIELD_TEXT); - if (comparer.isLicenseCommmentsEquals()) { + if (comparer.isLicenseCommentsEquals()) { setCellEqualValue(licenseCommentRow.createCell(EQUALS_COL), allDocsPresent); } else { setCellDifferentValue(licenseCommentRow.createCell(EQUALS_COL)); diff --git a/src/main/java/org/spdx/tools/compare/SnippetSheet.java b/src/main/java/org/spdx/tools/compare/SnippetSheet.java index 6f50d6c..d7ea26d 100644 --- a/src/main/java/org/spdx/tools/compare/SnippetSheet.java +++ b/src/main/java/org/spdx/tools/compare/SnippetSheet.java @@ -196,7 +196,7 @@ private void addSnippetToSheet(SpdxSnippetComparer comparer, } Row licenseCommentRow = this.addRow(); licenseCommentRow.createCell(FIELD_COL).setCellValue(LICENSE_COMMENT_FIELD_TEXT); - if (comparer.isLicenseCommmentsEquals()) { + if (comparer.isLicenseCommentsEquals()) { setCellEqualValue(licenseCommentRow.createCell(EQUALS_COL), allDocsPresent); } else { setCellDifferentValue(licenseCommentRow.createCell(EQUALS_COL)); diff --git a/testResources/sourcefiles/PackageSheet.java b/testResources/sourcefiles/PackageSheet.java index c99e9f8..fddb1f0 100644 --- a/testResources/sourcefiles/PackageSheet.java +++ b/testResources/sourcefiles/PackageSheet.java @@ -294,7 +294,7 @@ private void addPackageToSheet(SpdxPackageComparer comparer, } Row licenseCommentRow = this.addRow(); licenseCommentRow.createCell(FIELD_COL).setCellValue(LICENSE_COMMENT_FIELD_TEXT); - if (comparer.isLicenseCommmentsEquals()) { + if (comparer.isLicenseCommentsEquals()) { setCellEqualValue(licenseCommentRow.createCell(EQUALS_COL), allDocsPresent); } else { setCellDifferentValue(licenseCommentRow.createCell(EQUALS_COL)); diff --git a/testResources/sourcefiles/SnippetSheet.java b/testResources/sourcefiles/SnippetSheet.java index e9a0c45..ebf81c6 100644 --- a/testResources/sourcefiles/SnippetSheet.java +++ b/testResources/sourcefiles/SnippetSheet.java @@ -196,7 +196,7 @@ private void addSnippetToSheet(SpdxSnippetComparer comparer, } Row licenseCommentRow = this.addRow(); licenseCommentRow.createCell(FIELD_COL).setCellValue(LICENSE_COMMENT_FIELD_TEXT); - if (comparer.isLicenseCommmentsEquals()) { + if (comparer.isLicenseCommentsEquals()) { setCellEqualValue(licenseCommentRow.createCell(EQUALS_COL), allDocsPresent); } else { setCellDifferentValue(licenseCommentRow.createCell(EQUALS_COL)); From e6ffecf0c97d0681cfbd1726e9fb083adc31d0b3 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Mon, 3 Nov 2025 19:35:13 +0000 Subject: [PATCH 30/61] Add javadoc for SpdxToolsHelper Signed-off-by: Arthit Suriyawongkul --- .../java/org/spdx/tools/SpdxToolsHelper.java | 33 ++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/spdx/tools/SpdxToolsHelper.java b/src/main/java/org/spdx/tools/SpdxToolsHelper.java index b7127d3..dfa9402 100644 --- a/src/main/java/org/spdx/tools/SpdxToolsHelper.java +++ b/src/main/java/org/spdx/tools/SpdxToolsHelper.java @@ -58,6 +58,9 @@ */ public class SpdxToolsHelper { + /** + * Supported serialization file types + */ public enum SerFileType { JSON, RDFXML, XML, XLS, XLSX, YAML, TAG, RDFTTL, JSONLD } @@ -84,6 +87,9 @@ public enum SerFileType { } /** + * Determine the appropriate in memory based model store which supports + * serialization for the fileType + * * @param fileType * file type for the store * @return the appropriate in memory based model store which supports @@ -129,6 +135,8 @@ public static ISerializableModelStore fileTypeToStore(SerFileType fileType) } /** + * Determine the file type based on the file name and extension + * * @param file * @return the file type based on the file name and file extension * @throws InvalidFileNameException @@ -188,6 +196,8 @@ public static SerFileType fileToFileType(File file) } /** + * Determine the file type based on the file extension or string + * * @param str * @return the file type based on the file extension or string */ @@ -197,6 +207,9 @@ public static SerFileType strToFileType(String str) { } /** + * Deserializes an SPDX document from a file, + * compatible with SPDX version 2 + * * @param file * file containing an SPDX document with the standard file * extension for the serialization formats @@ -215,6 +228,9 @@ public static SpdxDocument deserializeDocumentCompatV2(File file) return readDocumentFromFileCompatV2(store, file); } /** + * Deserializes an SPDX document from a file, + * compatible with SPDX version 2 + * * @param file * file containing an SPDX document in one of the supported * SerFileTypes @@ -235,6 +251,8 @@ public static SpdxDocument deserializeDocumentCompatV2(File file, } /** + * Deserializes an SPDX document from a file + * * @param file * file containing an SPDX document with the standard file * extension for the serialization formats @@ -253,6 +271,8 @@ public static org.spdx.library.model.v3_0_1.core.SpdxDocument deserializeDocumen return readDocumentFromFileV3(store, file); } /** + * Deserializes an SPDX document from a file + * * @param file * file containing an SPDX document in one of the supported * SerFileTypes @@ -308,6 +328,8 @@ public static void deserializeFile(ISerializableModelStore store, File file) thr } /** + * Is the store supporting SPDX version 3 + * * @param store model store * @return true of the model store support SPDX spec version 3 */ @@ -316,6 +338,8 @@ public static boolean supportsV3(ISerializableModelStore store) { } /** + * Is the store supporting SPDX version 2 + * * @param store model store * @return true of the model store support SPDX spec version 2 */ @@ -358,7 +382,9 @@ public static CoreModelObject readDocumentFromFile(ISerializableModelStore store } /** - * Reads an SPDX Document from a file + * Reads an SPDX Document from a file, + * compatible with SPDX version 2 + * * @param store Store where the document is to be stored * @param file File to read the store from * @return SPDX Document from the store @@ -375,6 +401,8 @@ public static SpdxDocument readDocumentFromFileCompatV2(ISerializableModelStore } /** + * Gets an SPDX document from the model store + * * @param store model store * @return returns a document if a single document is found in the model store * @throws InvalidSPDXAnalysisException @@ -395,6 +423,9 @@ public static org.spdx.library.model.v3_0_1.core.SpdxDocument getDocFromStore(IS } /** + * Gets an SPDX document from the model store, + * compatible with SPDX version 2 + * * @param store model store * @return returns a document if a single document is found in the model store * @throws InvalidSPDXAnalysisException From 9de3ae23b079a369da46a4c25ad542cf90a8c409 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Thu, 6 Nov 2025 17:26:26 -0800 Subject: [PATCH 31/61] Fix full SPDX example Various fixes including removing duplicate SPDX IDs Added ExpandedLicensingExample Signed-off-by: Gary O'Neall --- .../examples/ExpandedLicenseExampleV3.java | 180 ++++++++++++++++++ .../org/spdx/examples/FullSpdxV3Example.java | 108 ++++++----- .../spdx/examples/SpdxExtensionExample.java | 9 + 3 files changed, 251 insertions(+), 46 deletions(-) create mode 100644 examples/org/spdx/examples/ExpandedLicenseExampleV3.java diff --git a/examples/org/spdx/examples/ExpandedLicenseExampleV3.java b/examples/org/spdx/examples/ExpandedLicenseExampleV3.java new file mode 100644 index 0000000..573bdde --- /dev/null +++ b/examples/org/spdx/examples/ExpandedLicenseExampleV3.java @@ -0,0 +1,180 @@ +package org.spdx.examples; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializationFeature; +import com.networknt.schema.Error; +import com.networknt.schema.Schema; +import com.networknt.schema.SchemaRegistry; +import com.networknt.schema.SpecificationVersion; +import org.spdx.core.DefaultModelStore; +import org.spdx.core.IModelCopyManager; +import org.spdx.library.LicenseInfoFactory; +import org.spdx.library.ModelCopyManager; +import org.spdx.library.SpdxModelFactory; +import org.spdx.library.model.v3_0_1.SpdxModelClassFactoryV3; +import org.spdx.library.model.v3_0_1.core.CreationInfo; +import org.spdx.library.model.v3_0_1.core.Element; +import org.spdx.library.model.v3_0_1.core.ProfileIdentifierType; +import org.spdx.library.model.v3_0_1.core.SpdxDocument; +import org.spdx.library.model.v3_0_1.expandedlicensing.ExtendableLicense; +import org.spdx.library.model.v3_0_1.simplelicensing.AnyLicenseInfo; +import org.spdx.storage.IModelStore; +import org.spdx.storage.simple.InMemSpdxStore; +import org.spdx.tools.Verify; +import org.spdx.v3jsonldstore.JsonLDStore; + +import java.io.*; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +import static org.spdx.tools.Verify.JSON_SCHEMA_RESOURCE_V3; + +/** + * Simple example serializing a single expanded license + */ +public class ExpandedLicenseExampleV3 { + + static final ObjectMapper JSON_MAPPER = new ObjectMapper().enable(SerializationFeature.INDENT_OUTPUT); + + /** + * @param args args[0] is the file path for the output serialized file + */ + public static void main(String[] args) throws Exception { + if (args.length != 1) { + usage(); + System.exit(1); + } + File outFile = new File(args[0]); + if (outFile.exists()) { + System.out.printf("%s already exists.\n", args[0]); + System.exit(1); + } + if (!outFile.createNewFile()) { + System.out.printf("Unable to create file %s\n", args[0]); + System.exit(1); + } + if (!outFile.canWrite()) { + System.out.printf("Can not write to file %s\n", args[0]); + System.exit(1); + } + SpdxModelFactory.init(); + IModelCopyManager copyManager = new ModelCopyManager(); + try (JsonLDStore modelStore = new JsonLDStore(new InMemSpdxStore())) { + modelStore.setUseExternalListedElements(true); // setting this to false will include all the listed license details in the document + String defaultDocUri = "https://spdx.github.io/spdx-spec/v3.0.1/examples/complex-license-eaa46bdcfa20"; + String prefix = defaultDocUri + "#"; + DefaultModelStore.initialize(modelStore, defaultDocUri, copyManager); + CreationInfo creationInfo = SpdxModelClassFactoryV3.createCreationInfo( + modelStore, prefix + "garyagent", "Gary O'Neall", + copyManager); + SpdxDocument doc = creationInfo.createSpdxDocument(prefix + "document") + .setDataLicense(LicenseInfoFactory.getListedLicenseById("CC0")) + .addNamespaceMap(creationInfo.createNamespaceMap(modelStore.getNextId(IModelStore.IdType.Anonymous)) + .setNamespace(prefix) + .setPrefix("example") + .build()) + .addProfileConformance(ProfileIdentifierType.CORE) + .addProfileConformance(ProfileIdentifierType.SOFTWARE) + .addProfileConformance(ProfileIdentifierType.EXPANDED_LICENSING) + .build(); + doc.setIdPrefix(prefix); + AnyLicenseInfo complexLicense = doc.createConjunctiveLicenseSet(prefix + "complexlicense") + // CustomLicense + .addMember(doc.createCustomLicense(prefix + "LicenseRef-customlicense1") + .setLicenseText("This is the license text for my custom license") + .setName("Gary's Custom License") + .addSeeAlso("https://example.com") + .build()) + // OrLaterOperator + .addMember(doc.createOrLaterOperator(prefix + "complexorlater") + // ListedLicense + .setSubjectLicense(doc.createListedLicense("http://spdx.org/licenses/EPL-1.0") + .setName("Eclipse Public License 1.0") + .setLicenseText("Eclipse Public License - v 1.0\n\nTHE ACCOMPANYING PROGRAM IS PROVIDED" + + " UNDER THE TERMS OF THIS ECLIPSE PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION " + + "OR DISTRIBUTION OF THE PROGRAM CONSTITUTES RECIPIENTS ACCEPTANCE OF THIS AGREEMENT.\n\n1. " + + "DEFINITIONS\n\n\"Contribution\" means:\n a) in the case of the initial Contributor...") + .setIsFsfLibre(true) + .setComment("EPL replaced the CPL on 28 June 2005.") + .addSeeAlso("https://opensource.org/licenses/EPL-1.0") + .build()) + .build()) + // DisjunctiveLicenseSet + .addMember(doc.createDisjunctiveLicenseSet(prefix + "complexdisjunctive") + // WithAdditionOperator + .addMember(doc.createWithAdditionOperator(prefix + "complexwith") + .setSubjectExtendableLicense((ExtendableLicense) LicenseInfoFactory.parseSPDXLicenseString("GPL-2.0-or-later")) + // ListedLicenseException + .setSubjectAddition(doc.createListedLicenseException("http://spdx.org/licenses/Autoconf-exception-2.0") + .setName("Autoconf exception 2.0") + .setComment("Typically used with GPL-2.0-only or GPL-2.0-or-later") + .setAdditionText("As a special exception, the Free Software Foundation gives unlimited " + + "permission to copy, distribute and modify the ...") + .addSeeAlso("http://ftp.gnu.org/gnu/autoconf/autoconf-2.59.tar.gz") + .build()) + .build()) + .addMember(doc.createWithAdditionOperator(prefix + "complexwithcustomaddition") + .setSubjectExtendableLicense((ExtendableLicense) LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0")) + // CustomLicenseAddition + .setSubjectAddition(doc.createCustomLicenseAddition(prefix + "complexcustomaddition") + .setName("My License Addition") + .setAdditionText("Custom addition text - just for me") + .addSeeAlso("https://example.com") + .build()) + .build()) + // ExtendableLicense - Abstract + // IndividualLicensingInfo - used by listed license + // License - Abstract + .addMember(LicenseInfoFactory.parseSPDXLicenseString("MIT")) + .build()) + .build(); + doc.getRootElements().add(complexLicense); + doc.getElements().add(complexLicense); + List warnings = new ArrayList<>(); + Collection docElements = doc.getElements(); + SpdxModelFactory.getSpdxObjects(modelStore, copyManager, null, null, prefix).forEach( + modelObject -> { + if (modelObject instanceof Element) { + Element element = (Element)modelObject; + if (!docElements.contains(element) && !element.equals(doc)) { + warnings.add("Element not in the document elements: " + element.getObjectUri()); + docElements.add(element); + } + } + } + ); + warnings.addAll(complexLicense.verify()); + try (OutputStream outStream = new FileOutputStream(outFile)) { + modelStore.serialize(outStream, doc); + } + SchemaRegistry schemaRegistry = + SchemaRegistry.withDefaultDialect(SpecificationVersion.DRAFT_2020_12); + Schema schema; + try (InputStream is = Verify.class.getResourceAsStream("/" + JSON_SCHEMA_RESOURCE_V3)) { + schema = schemaRegistry.getSchema(is); + } + JsonNode root; + try (InputStream is = new FileInputStream(outFile)) { + root = JSON_MAPPER.readTree(is); + } + List messages = schema.validate(root); + for (Error msg:messages) { + warnings.add(msg.toString()); + } + if (!warnings.isEmpty()) { + System.out.println("Generated document contains the following warnings:"); + for (String warning:warnings) { + System.out.print("\t"); + System.out.println(warning); + } + } + } + } + + private static void usage() { + System.out.println("Generates an SPDX JSON-LD file containing all of the supported classes."); + System.out.println("Usage: FullSpdxV3Example outputfile"); + } +} diff --git a/examples/org/spdx/examples/FullSpdxV3Example.java b/examples/org/spdx/examples/FullSpdxV3Example.java index 2a42eb6..25dee99 100644 --- a/examples/org/spdx/examples/FullSpdxV3Example.java +++ b/examples/org/spdx/examples/FullSpdxV3Example.java @@ -1,13 +1,12 @@ package org.spdx.examples; - import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.SerializationFeature; -import com.networknt.schema.JsonSchema; -import com.networknt.schema.JsonSchemaFactory; -import com.networknt.schema.SpecVersion; -import com.networknt.schema.ValidationMessage; +import com.networknt.schema.Error; +import com.networknt.schema.Schema; +import com.networknt.schema.SchemaRegistry; +import com.networknt.schema.SpecificationVersion; import org.spdx.core.DefaultModelStore; import org.spdx.core.IModelCopyManager; import org.spdx.core.InvalidSPDXAnalysisException; @@ -26,7 +25,6 @@ import org.spdx.library.model.v3_0_1.dataset.DatasetPackage; import org.spdx.library.model.v3_0_1.dataset.DatasetType; import org.spdx.library.model.v3_0_1.expandedlicensing.ExtendableLicense; -import org.spdx.library.model.v3_0_1.extension.Extension; import org.spdx.library.model.v3_0_1.security.*; import org.spdx.library.model.v3_0_1.simplelicensing.AnyLicenseInfo; import org.spdx.library.model.v3_0_1.simplelicensing.SimpleLicensingText; @@ -39,9 +37,7 @@ import java.io.*; import java.time.LocalDateTime; import java.time.format.DateTimeFormatter; -import java.util.ArrayList; -import java.util.List; -import java.util.Set; +import java.util.*; import static org.spdx.tools.Verify.JSON_SCHEMA_RESOURCE_V3; @@ -61,10 +57,9 @@ public class FullSpdxV3Example { static final ObjectMapper JSON_MAPPER = new ObjectMapper().enable(SerializationFeature.INDENT_OUTPUT); static class ExampleBuilder { - private String prefix = null; - private SpdxDocument doc = null; + private final String prefix; + private final SpdxDocument doc; private Sbom sBom = null; - private Bom aiBom = null; private SpdxPackage pkg = null; public ExampleBuilder(String prefix, SpdxDocument doc) { @@ -88,17 +83,19 @@ private String getNextAnonId() throws InvalidSPDXAnalysisException { } private void addExtensionClasses() throws InvalidSPDXAnalysisException { - // SpdxExtensionExample extension = new SpdxExtensionExample(doc.getModelStore(), prefix + "extension", doc.getCopyManager(), true, prefix); - // This currently causes a schema validation issue and depends on a fix in the v3JsonLD store - // extension.setExtensionProperty("Extension property value"); - // TODO: Add this back in after validation issues are addressed - Extension extension = doc.createCdxPropertiesExtension(prefix + "extension") + //TODO: The following is causing a schema validation error - uncomment when resolved +// ModelRegistry.getModelRegistry().registerExtensionType("Extension.example", +// SpdxExtensionExample.class); +// SpdxExtensionExample extension = new SpdxExtensionExample(doc.getModelStore(), +// prefix + "extension", doc.getCopyManager(), true, prefix); +// extension.setExtensionProperty("Extension property value"); +// doc.getExtensions().add(extension); + doc.getExtensions().add(doc.createCdxPropertiesExtension(getNextAnonId()) .addCdxProperty(doc.createCdxPropertyEntry(getNextAnonId()) - .setCdxPropName("cdxProperty") - .setCdxPropValue("value") + .setCdxPropName("CDXProperty") + .setCdxPropValue("Property Value") .build()) - .build(); - doc.getExtensions().add(extension); + .build()); } private void addBuildClasses() throws InvalidSPDXAnalysisException { @@ -173,7 +170,7 @@ private void addExpandedLicensingClasses() throws InvalidSPDXAnalysisException // ConjunctiveLicenseSet AnyLicenseInfo complexLicense = doc.createConjunctiveLicenseSet(prefix + "complexlicense") // CustomLicense - .addMember(doc.createCustomLicense(prefix + "LicenseRef-customlicense1") + .addMember(doc.createCustomLicense(prefix + "LicenseRef-customlicense3") .setLicenseText("This is the license text for my custom license") .setName("Gary's Custom License") .addSeeAlso("https://example.com") @@ -181,7 +178,7 @@ private void addExpandedLicensingClasses() throws InvalidSPDXAnalysisException // OrLaterOperator .addMember(doc.createOrLaterOperator(prefix + "complexorlater") // ListedLicense - .setSubjectLicense(doc.createListedLicense("https://spdx.org/licenses/EPL-1.0") + .setSubjectLicense(doc.createListedLicense("http://spdx.org/licenses/EPL-1.0") .setName("Eclipse Public License 1.0") .setLicenseText("Eclipse Public License - v 1.0\n\nTHE ACCOMPANYING PROGRAM IS PROVIDED" + " UNDER THE TERMS OF THIS ECLIPSE PUBLIC LICENSE (\"AGREEMENT\"). ANY USE, REPRODUCTION " + @@ -378,20 +375,20 @@ private void addSecurityClasses() throws InvalidSPDXAnalysisException { // ExploitCatalogVulnAssessmentRelationship //TODO: The schema has "locator" for the field while the generated Java code has "securityLocator" //Need to regenerate the library then uncomment the example below -// ExploitCatalogVulnAssessmentRelationship excat = doc.createExploitCatalogVulnAssessmentRelationship(prefix + "exploitcat") -// .setRelationshipType(RelationshipType.HAS_ASSESSMENT_FOR) -// .setFrom(vuln) -// .addTo(log4j) -// .setCatalogType(ExploitCatalogType.KEV) -// .setSecurityLocator("https://www.cisa.gov/known-exploited-vulnerabilities-catalog") -// .setExploited(true) -// .setAssessedElement(log4j) -// .setSuppliedBy(supplierAgent) -// .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) -// .format(SPDX_DATE_FORMATTER)) -// .build(); -// doc.getElements().add(excat); -// securityBundle.getElements().add(excat); + ExploitCatalogVulnAssessmentRelationship excat = doc.createExploitCatalogVulnAssessmentRelationship(prefix + "exploitcat") + .setRelationshipType(RelationshipType.HAS_ASSESSMENT_FOR) + .setFrom(vuln) + .addTo(log4j) + .setCatalogType(ExploitCatalogType.KEV) + .setSecurityLocator("https://www.cisa.gov/known-exploited-vulnerabilities-catalog") + .setExploited(true) + .setAssessedElement(log4j) + .setSuppliedBy(supplierAgent) + .setPublishedTime(LocalDateTime.of(2023, 9, 18, 0, 0) + .format(SPDX_DATE_FORMATTER)) + .build(); + doc.getElements().add(excat); + securityBundle.getElements().add(excat); // SsvcVulnAssessmentRelationship SsvcVulnAssessmentRelationship ssvs = doc.createSsvcVulnAssessmentRelationship(prefix + "ssvs") @@ -527,7 +524,6 @@ private void addCoreClasses() throws InvalidSPDXAnalysisException { .addLocator("org.spdx:tools-java") .build()) .build()); - } private void addSoftwareClasses() throws InvalidSPDXAnalysisException { @@ -668,7 +664,7 @@ private void addSoftwareClasses() throws InvalidSPDXAnalysisException { } private void addAIandDataClasses() throws InvalidSPDXAnalysisException { - aiBom = doc.createBom(prefix + "aibom") + Bom aiBom = doc.createBom(prefix + "aibom") .setName("AI SBOM") .addProfileConformance(ProfileIdentifierType.CORE) .addProfileConformance(ProfileIdentifierType.SOFTWARE) @@ -758,6 +754,8 @@ private void addAIandDataClasses() throws InvalidSPDXAnalysisException { .addTo(aiPackage) .setCompleteness(RelationshipCompleteness.INCOMPLETE) .build(); + doc.getElements().add(usesData); + aiBom.getElements().add(usesData); } } @@ -809,22 +807,40 @@ public static void main(String[] args) throws Exception { doc.setIdPrefix(prefix); ExampleBuilder builder = new ExampleBuilder(prefix, doc); builder.build(); + List warnings = new ArrayList<>(); + // Add all the elements to the doc to make sure everything gets serialized + Collection docElements = doc.getElements(); + SpdxModelFactory.getSpdxObjects(modelStore, copyManager, null, null, prefix).forEach( + modelObject -> { + if (modelObject instanceof Element) { + Element element = (Element)modelObject; + if (!docElements.contains(element) && !element.equals(doc)) { + warnings.add("Element not in the document elements: " + element.getObjectUri()); + docElements.add(element); + } + } + } + ); - List warnings = doc.verify(); + // Verify using the SPDX Java Library + warnings.addAll(doc.verify()); try (OutputStream outStream = new FileOutputStream(outFile)) { - modelStore.serialize(outStream); + modelStore.serialize(outStream, doc); } - JsonSchemaFactory jsonSchemaFactory = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V202012); - JsonSchema schema; + + // Validate using the schema + SchemaRegistry schemaRegistry = + SchemaRegistry.withDefaultDialect(SpecificationVersion.DRAFT_2020_12); + Schema schema; try (InputStream is = Verify.class.getResourceAsStream("/" + JSON_SCHEMA_RESOURCE_V3)) { - schema = jsonSchemaFactory.getSchema(is); + schema = schemaRegistry.getSchema(is); } JsonNode root; try (InputStream is = new FileInputStream(outFile)) { root = JSON_MAPPER.readTree(is); } - Set messages = schema.validate(root); - for (ValidationMessage msg:messages) { + List messages = schema.validate(root); + for (Error msg:messages) { warnings.add(msg.toString()); } if (!warnings.isEmpty()) { diff --git a/examples/org/spdx/examples/SpdxExtensionExample.java b/examples/org/spdx/examples/SpdxExtensionExample.java index 135a80e..f75d8c9 100644 --- a/examples/org/spdx/examples/SpdxExtensionExample.java +++ b/examples/org/spdx/examples/SpdxExtensionExample.java @@ -17,6 +17,10 @@ public SpdxExtensionExample(IModelStore modelStore, String objectUri, @Nullable super(modelStore, objectUri, copyManager, create, idPrefix); } + public SpdxExtensionExample(IModelStore modelStore, String objectUri, @Nullable IModelCopyManager copyManager, boolean create, String specVersion, String idPrefix) throws InvalidSPDXAnalysisException { + super(modelStore, objectUri, copyManager, create, idPrefix); + } + public SpdxExtensionExample setExtensionProperty(String value) throws InvalidSPDXAnalysisException { setPropertyValue(EXTENSION_PROPERTY_DESCRIPTOR, value); return this; @@ -25,4 +29,9 @@ public SpdxExtensionExample setExtensionProperty(String value) throws InvalidSPD public Optional getExtensionProperty() throws InvalidSPDXAnalysisException { return getStringPropertyValue(EXTENSION_PROPERTY_DESCRIPTOR); } + + @Override + public String getType() { + return "Extension.example"; + } } From d5a923a0875a9092b45e8f63e083f1d42911e4c4 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Fri, 7 Nov 2025 11:59:34 -0800 Subject: [PATCH 32/61] Add missing file copyright notice Co-authored-by: Arthit Suriyawongkul --- examples/org/spdx/examples/ExpandedLicenseExampleV3.java | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/examples/org/spdx/examples/ExpandedLicenseExampleV3.java b/examples/org/spdx/examples/ExpandedLicenseExampleV3.java index 573bdde..030b1b2 100644 --- a/examples/org/spdx/examples/ExpandedLicenseExampleV3.java +++ b/examples/org/spdx/examples/ExpandedLicenseExampleV3.java @@ -1,3 +1,12 @@ +/** + * SPDX-FileContributor: Gary O'Neall + * SPDX-FileCopyrightText: Copyright (c) 2025 Source Auditor Inc. + * SPDX-FileType: SOURCE + * SPDX-License-Identifier: Apache-2.0 + * + * Example of serializing a single expanded license + */ + package org.spdx.examples; import com.fasterxml.jackson.databind.JsonNode; From f6cf5a9573a07ab1bcaf738391e1e077fc52ad12 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Fri, 7 Nov 2025 11:59:49 -0800 Subject: [PATCH 33/61] Add missing file copyright notice Co-authored-by: Arthit Suriyawongkul --- examples/org/spdx/examples/FullSpdxV3Example.java | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/examples/org/spdx/examples/FullSpdxV3Example.java b/examples/org/spdx/examples/FullSpdxV3Example.java index 25dee99..fd1b269 100644 --- a/examples/org/spdx/examples/FullSpdxV3Example.java +++ b/examples/org/spdx/examples/FullSpdxV3Example.java @@ -1,3 +1,12 @@ +/** + * SPDX-FileContributor: Gary O'Neall + * SPDX-FileCopyrightText: Copyright (c) 2025 Source Auditor Inc. + * SPDX-FileType: SOURCE + * SPDX-License-Identifier: Apache-2.0 + * + * Full example of an SPDX document using all classes + */ + package org.spdx.examples; import com.fasterxml.jackson.databind.JsonNode; From c17e8333f8e7369a51fb01416689b17fd65569fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 17:40:53 +0000 Subject: [PATCH 34/61] Bump org.apache.maven.plugins:maven-release-plugin from 3.1.1 to 3.2.0 Bumps [org.apache.maven.plugins:maven-release-plugin](https://github.com/apache/maven-release) from 3.1.1 to 3.2.0. - [Release notes](https://github.com/apache/maven-release/releases) - [Commits](https://github.com/apache/maven-release/compare/maven-release-3.1.1...maven-release-3.2.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-release-plugin dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index be74737..279090a 100644 --- a/pom.xml +++ b/pom.xml @@ -354,7 +354,7 @@ org.apache.maven.plugins maven-release-plugin - 3.1.1 + 3.2.0 v@{project.version} release From 0ebc386130c9a818cc7f8e75445720e5f9b8abd7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 17:40:59 +0000 Subject: [PATCH 35/61] Bump commons-io:commons-io from 2.20.0 to 2.21.0 Bumps [commons-io:commons-io](https://github.com/apache/commons-io) from 2.20.0 to 2.21.0. - [Changelog](https://github.com/apache/commons-io/blob/master/RELEASE-NOTES.txt) - [Commits](https://github.com/apache/commons-io/compare/rel/commons-io-2.20.0...rel/commons-io-2.21.0) --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-version: 2.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 279090a..27ae85d 100644 --- a/pom.xml +++ b/pom.xml @@ -97,7 +97,7 @@ commons-io commons-io - 2.20.0 + 2.21.0 org.apache.commons From 7a2ea0fb8542a7e86d39a864253b29f1fbecc84e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 16:01:13 +0000 Subject: [PATCH 36/61] Bump org.owasp:dependency-check-maven from 12.1.8 to 12.1.9 Bumps [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck) from 12.1.8 to 12.1.9. - [Release notes](https://github.com/dependency-check/DependencyCheck/releases) - [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md) - [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.8...v12.1.9) --- updated-dependencies: - dependency-name: org.owasp:dependency-check-maven dependency-version: 12.1.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 27ae85d..7335130 100644 --- a/pom.xml +++ b/pom.xml @@ -48,7 +48,7 @@ https://sonarcloud.io spdx tools-java - 12.1.8 + 12.1.9 11 -Xdoclint:none From 3bee0a45fea5223894f9d2d8cd52fe5c9c4a30cb Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Thu, 6 Nov 2025 17:31:05 -0800 Subject: [PATCH 37/61] Add faster schema Reference: https://github.com/JPEWdev/shacl2code/pull/56 Signed-off-by: Gary O'Neall --- resources/spdx-schema-v3.0.1.json | 4416 +++++++++++++++++------------ 1 file changed, 2606 insertions(+), 1810 deletions(-) diff --git a/resources/spdx-schema-v3.0.1.json b/resources/spdx-schema-v3.0.1.json index 5a030b4..13f4636 100644 --- a/resources/spdx-schema-v3.0.1.json +++ b/resources/spdx-schema-v3.0.1.json @@ -10,42 +10,56 @@ }, "required": ["@context"], - "oneOf": [ - { - "type": "object", - "properties": { - "@graph": { - "description": "Top level container for JSON-LD objects", - "type": "array", - "items": { - "type": "object", - "$ref": "#/$defs/AnyClass", - "unevaluatedProperties": false - } + "if": { + "type": "object", + "required": ["@graph"] + }, + "then": { + "type": "object", + "properties": { + "@graph": { + "description": "Top level container for JSON-LD objects", + "type": "array", + "items": { + "type": "object", + "$ref": "#/$defs/AnyClass", + "unevaluatedProperties": false } - }, - "required": ["@graph"] + } }, - { "$ref": "#/$defs/AnyClass" } - ], + "required": ["@graph"] + }, + "else": { + "$ref": "#/$defs/AnyClass" + }, "unevaluatedProperties": false, "$defs": { "ai_EnergyConsumption": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ai_EnergyConsumption" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ai_EnergyConsumption" } }, - { "$ref": "#/$defs/ai_EnergyConsumption_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ai_EnergyConsumption_props" } + ] + }, + "else": { + "const": "Not a ai_EnergyConsumption" + } }, "ai_EnergyConsumption_derived": { "anyOf": [ @@ -66,7 +80,7 @@ "type": "object", "properties": { "ai_finetuningEnergyConsumption": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -76,7 +90,7 @@ ] }, "ai_inferenceEnergyConsumption": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -86,7 +100,7 @@ ] }, "ai_trainingEnergyConsumption": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -100,29 +114,39 @@ ] }, "prop_ai_EnergyConsumption_ai_finetuningEnergyConsumption": { - "$ref": "#/$defs/ai_EnergyConsumptionDescription_derived" + "$ref": "#/$defs/ai_EnergyConsumptionDescription_derived" }, "prop_ai_EnergyConsumption_ai_inferenceEnergyConsumption": { - "$ref": "#/$defs/ai_EnergyConsumptionDescription_derived" + "$ref": "#/$defs/ai_EnergyConsumptionDescription_derived" }, "prop_ai_EnergyConsumption_ai_trainingEnergyConsumption": { - "$ref": "#/$defs/ai_EnergyConsumptionDescription_derived" + "$ref": "#/$defs/ai_EnergyConsumptionDescription_derived" }, "ai_EnergyConsumptionDescription": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ai_EnergyConsumptionDescription" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ai_EnergyConsumptionDescription" } }, - { "$ref": "#/$defs/ai_EnergyConsumptionDescription_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ai_EnergyConsumptionDescription_props" } + ] + }, + "else": { + "const": "Not a ai_EnergyConsumptionDescription" + } }, "ai_EnergyConsumptionDescription_derived": { "anyOf": [ @@ -157,38 +181,48 @@ ] }, "prop_ai_EnergyConsumptionDescription_ai_energyQuantity": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string", - "pattern": "^-?[0-9]+(\\.[0-9]*)?$" - } - ] + "anyOf": [ + { + "type": "number" + }, + { + "type": "string", + "pattern": "^-?[0-9]+(\\.[0-9]*)?$" + } + ] }, "prop_ai_EnergyConsumptionDescription_ai_energyUnit": { - "enum": [ - "kilowattHour", - "megajoule", - "other" - ] + "enum": [ + "kilowattHour", + "megajoule", + "other" + ] }, "ai_EnergyUnitType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ai_EnergyUnitType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ai_EnergyUnitType" } }, - { "$ref": "#/$defs/ai_EnergyUnitType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ai_EnergyUnitType_props" } + ] + }, + "else": { + "const": "Not a ai_EnergyUnitType" + } }, "ai_EnergyUnitType_derived": { "anyOf": [ @@ -216,20 +250,30 @@ ] }, "ai_SafetyRiskAssessmentType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ai_SafetyRiskAssessmentType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ai_SafetyRiskAssessmentType" } }, - { "$ref": "#/$defs/ai_SafetyRiskAssessmentType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ai_SafetyRiskAssessmentType_props" } + ] + }, + "else": { + "const": "Not a ai_SafetyRiskAssessmentType" + } }, "ai_SafetyRiskAssessmentType_derived": { "anyOf": [ @@ -258,20 +302,30 @@ ] }, "AnnotationType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "AnnotationType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "AnnotationType" } }, - { "$ref": "#/$defs/AnnotationType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/AnnotationType_props" } + ] + }, + "else": { + "const": "Not a AnnotationType" + } }, "AnnotationType_derived": { "anyOf": [ @@ -298,20 +352,30 @@ ] }, "CreationInfo": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "CreationInfo" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "CreationInfo" } }, - { "$ref": "#/$defs/CreationInfo_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/CreationInfo_props" } + ] + }, + "else": { + "const": "Not a CreationInfo" + } }, "CreationInfo_derived": { "anyOf": [ @@ -338,7 +402,7 @@ "$ref": "#/$defs/prop_CreationInfo_created" }, "createdBy": { - "oneOf": [ + "anyOf": [ { "type": "array", "minItems": 1, @@ -349,7 +413,7 @@ ] }, "createdUsing": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -371,44 +435,54 @@ ] }, "prop_CreationInfo_comment": { - "type": "string" + "type": "string" }, "prop_CreationInfo_created": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_CreationInfo_createdBy": { - "$ref": "#/$defs/Agent_derived" + "$ref": "#/$defs/Agent_derived" }, "prop_CreationInfo_createdUsing": { - "$ref": "#/$defs/Tool_derived" + "$ref": "#/$defs/Tool_derived" }, "prop_CreationInfo_specVersion": { - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", - "type": "string" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "type": "string" }, "DictionaryEntry": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "DictionaryEntry" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "DictionaryEntry" } }, - { "$ref": "#/$defs/DictionaryEntry_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/DictionaryEntry_props" } + ] + }, + "else": { + "const": "Not a DictionaryEntry" + } }, "DictionaryEntry_derived": { "anyOf": [ @@ -442,10 +516,10 @@ ] }, "prop_DictionaryEntry_key": { - "type": "string" + "type": "string" }, "prop_DictionaryEntry_value": { - "type": "string" + "type": "string" }, "Element_derived": { "anyOf": [ @@ -520,7 +594,7 @@ "$ref": "#/$defs/prop_Element_description" }, "extension": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -530,7 +604,7 @@ ] }, "externalIdentifier": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -540,7 +614,7 @@ ] }, "externalRef": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -556,7 +630,7 @@ "$ref": "#/$defs/prop_Element_summary" }, "verifiedUsing": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -573,31 +647,31 @@ ] }, "prop_Element_comment": { - "type": "string" + "type": "string" }, "prop_Element_creationInfo": { - "$ref": "#/$defs/CreationInfo_derived" + "$ref": "#/$defs/CreationInfo_derived" }, "prop_Element_description": { - "type": "string" + "type": "string" }, "prop_Element_extension": { - "$ref": "#/$defs/extension_Extension_derived" + "$ref": "#/$defs/extension_Extension_derived" }, "prop_Element_externalIdentifier": { - "$ref": "#/$defs/ExternalIdentifier_derived" + "$ref": "#/$defs/ExternalIdentifier_derived" }, "prop_Element_externalRef": { - "$ref": "#/$defs/ExternalRef_derived" + "$ref": "#/$defs/ExternalRef_derived" }, "prop_Element_name": { - "type": "string" + "type": "string" }, "prop_Element_summary": { - "type": "string" + "type": "string" }, "prop_Element_verifiedUsing": { - "$ref": "#/$defs/IntegrityMethod_derived" + "$ref": "#/$defs/IntegrityMethod_derived" }, "ElementCollection_derived": { "anyOf": [ @@ -621,7 +695,7 @@ "type": "object", "properties": { "element": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -631,7 +705,7 @@ ] }, "profileConformance": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -641,7 +715,7 @@ ] }, "rootElement": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -655,40 +729,50 @@ ] }, "prop_ElementCollection_element": { - "$ref": "#/$defs/Element_derived" + "$ref": "#/$defs/Element_derived" }, "prop_ElementCollection_profileConformance": { - "enum": [ - "ai", - "build", - "core", - "dataset", - "expandedLicensing", - "extension", - "lite", - "security", - "simpleLicensing", - "software" - ] + "enum": [ + "ai", + "build", + "core", + "dataset", + "expandedLicensing", + "extension", + "lite", + "security", + "simpleLicensing", + "software" + ] }, "prop_ElementCollection_rootElement": { - "$ref": "#/$defs/Element_derived" + "$ref": "#/$defs/Element_derived" }, "ExternalIdentifier": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ExternalIdentifier" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ExternalIdentifier" } }, - { "$ref": "#/$defs/ExternalIdentifier_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ExternalIdentifier_props" } + ] + }, + "else": { + "const": "Not a ExternalIdentifier" + } }, "ExternalIdentifier_derived": { "anyOf": [ @@ -718,7 +802,7 @@ "$ref": "#/$defs/prop_ExternalIdentifier_identifier" }, "identifierLocator": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -739,47 +823,57 @@ ] }, "prop_ExternalIdentifier_comment": { - "type": "string" + "type": "string" }, "prop_ExternalIdentifier_externalIdentifierType": { - "enum": [ - "cpe22", - "cpe23", - "cve", - "email", - "gitoid", - "other", - "packageUrl", - "securityOther", - "swhid", - "swid", - "urlScheme" - ] + "enum": [ + "cpe22", + "cpe23", + "cve", + "email", + "gitoid", + "other", + "packageUrl", + "securityOther", + "swhid", + "swid", + "urlScheme" + ] }, "prop_ExternalIdentifier_identifier": { - "type": "string" + "type": "string" }, "prop_ExternalIdentifier_identifierLocator": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_ExternalIdentifier_issuingAuthority": { - "type": "string" + "type": "string" }, "ExternalIdentifierType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ExternalIdentifierType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ExternalIdentifierType" } }, - { "$ref": "#/$defs/ExternalIdentifierType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ExternalIdentifierType_props" } + ] + }, + "else": { + "const": "Not a ExternalIdentifierType" + } }, "ExternalIdentifierType_derived": { "anyOf": [ @@ -815,20 +909,30 @@ ] }, "ExternalMap": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ExternalMap" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ExternalMap" } }, - { "$ref": "#/$defs/ExternalMap_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ExternalMap_props" } + ] + }, + "else": { + "const": "Not a ExternalMap" + } }, "ExternalMap_derived": { "anyOf": [ @@ -858,7 +962,7 @@ "$ref": "#/$defs/prop_ExternalMap_locationHint" }, "verifiedUsing": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -875,32 +979,42 @@ ] }, "prop_ExternalMap_definingArtifact": { - "$ref": "#/$defs/Artifact_derived" + "$ref": "#/$defs/Artifact_derived" }, "prop_ExternalMap_externalSpdxId": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_ExternalMap_locationHint": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_ExternalMap_verifiedUsing": { - "$ref": "#/$defs/IntegrityMethod_derived" + "$ref": "#/$defs/IntegrityMethod_derived" }, "ExternalRef": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ExternalRef" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ExternalRef" } }, - { "$ref": "#/$defs/ExternalRef_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ExternalRef_props" } + ] + }, + "else": { + "const": "Not a ExternalRef" + } }, "ExternalRef_derived": { "anyOf": [ @@ -930,7 +1044,7 @@ "$ref": "#/$defs/prop_ExternalRef_externalRefType" }, "locator": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -944,80 +1058,90 @@ ] }, "prop_ExternalRef_comment": { - "type": "string" + "type": "string" }, "prop_ExternalRef_contentType": { - "pattern": "^[^\\/]+\\/[^\\/]+$", - "type": "string" + "pattern": "^[^\\/]+\\/[^\\/]+$", + "type": "string" }, "prop_ExternalRef_externalRefType": { - "enum": [ - "altDownloadLocation", - "altWebPage", - "binaryArtifact", - "bower", - "buildMeta", - "buildSystem", - "certificationReport", - "chat", - "componentAnalysisReport", - "cwe", - "documentation", - "dynamicAnalysisReport", - "eolNotice", - "exportControlAssessment", - "funding", - "issueTracker", - "license", - "mailingList", - "mavenCentral", - "metrics", - "npm", - "nuget", - "other", - "privacyAssessment", - "productMetadata", - "purchaseOrder", - "qualityAssessmentReport", - "releaseHistory", - "releaseNotes", - "riskAssessment", - "runtimeAnalysisReport", - "secureSoftwareAttestation", - "securityAdversaryModel", - "securityAdvisory", - "securityFix", - "securityOther", - "securityPenTestReport", - "securityPolicy", - "securityThreatModel", - "socialMedia", - "sourceArtifact", - "staticAnalysisReport", - "support", - "vcs", - "vulnerabilityDisclosureReport", - "vulnerabilityExploitabilityAssessment" - ] + "enum": [ + "altDownloadLocation", + "altWebPage", + "binaryArtifact", + "bower", + "buildMeta", + "buildSystem", + "certificationReport", + "chat", + "componentAnalysisReport", + "cwe", + "documentation", + "dynamicAnalysisReport", + "eolNotice", + "exportControlAssessment", + "funding", + "issueTracker", + "license", + "mailingList", + "mavenCentral", + "metrics", + "npm", + "nuget", + "other", + "privacyAssessment", + "productMetadata", + "purchaseOrder", + "qualityAssessmentReport", + "releaseHistory", + "releaseNotes", + "riskAssessment", + "runtimeAnalysisReport", + "secureSoftwareAttestation", + "securityAdversaryModel", + "securityAdvisory", + "securityFix", + "securityOther", + "securityPenTestReport", + "securityPolicy", + "securityThreatModel", + "socialMedia", + "sourceArtifact", + "staticAnalysisReport", + "support", + "vcs", + "vulnerabilityDisclosureReport", + "vulnerabilityExploitabilityAssessment" + ] }, "prop_ExternalRef_locator": { - "type": "string" + "type": "string" }, "ExternalRefType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ExternalRefType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ExternalRefType" } }, - { "$ref": "#/$defs/ExternalRefType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ExternalRefType_props" } + ] + }, + "else": { + "const": "Not a ExternalRefType" + } }, "ExternalRefType_derived": { "anyOf": [ @@ -1088,20 +1212,30 @@ ] }, "HashAlgorithm": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "HashAlgorithm" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "HashAlgorithm" } }, - { "$ref": "#/$defs/HashAlgorithm_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/HashAlgorithm_props" } + ] + }, + "else": { + "const": "Not a HashAlgorithm" + } }, "HashAlgorithm_derived": { "anyOf": [ @@ -1148,21 +1282,31 @@ ] }, "IndividualElement": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "IndividualElement" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "IndividualElement" + } }, - { "$ref": "#/$defs/IndividualElement_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/IndividualElement_props" } + ] + }, + "else": { + "const": "Not a IndividualElement" + } }, "IndividualElement_derived": { "anyOf": [ @@ -1216,23 +1360,33 @@ ] }, "prop_IntegrityMethod_comment": { - "type": "string" + "type": "string" }, "LifecycleScopeType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "LifecycleScopeType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "LifecycleScopeType" } }, - { "$ref": "#/$defs/LifecycleScopeType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/LifecycleScopeType_props" } + ] + }, + "else": { + "const": "Not a LifecycleScopeType" + } }, "LifecycleScopeType_derived": { "anyOf": [ @@ -1263,20 +1417,30 @@ ] }, "NamespaceMap": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "NamespaceMap" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "NamespaceMap" } }, - { "$ref": "#/$defs/NamespaceMap_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/NamespaceMap_props" } + ] + }, + "else": { + "const": "Not a NamespaceMap" + } }, "NamespaceMap_derived": { "anyOf": [ @@ -1311,26 +1475,36 @@ ] }, "prop_NamespaceMap_namespace": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_NamespaceMap_prefix": { - "type": "string" + "type": "string" }, "PackageVerificationCode": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "PackageVerificationCode" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "PackageVerificationCode" } }, - { "$ref": "#/$defs/PackageVerificationCode_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/PackageVerificationCode_props" } + ] + }, + "else": { + "const": "Not a PackageVerificationCode" + } }, "PackageVerificationCode_derived": { "anyOf": [ @@ -1357,7 +1531,7 @@ "$ref": "#/$defs/prop_PackageVerificationCode_hashValue" }, "packageVerificationCodeExcludedFile": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -1375,52 +1549,62 @@ ] }, "prop_PackageVerificationCode_algorithm": { - "enum": [ - "adler32", - "blake2b256", - "blake2b384", - "blake2b512", - "blake3", - "crystalsDilithium", - "crystalsKyber", - "falcon", - "md2", - "md4", - "md5", - "md6", - "other", - "sha1", - "sha224", - "sha256", - "sha384", - "sha3_224", - "sha3_256", - "sha3_384", - "sha3_512", - "sha512" - ] + "enum": [ + "adler32", + "blake2b256", + "blake2b384", + "blake2b512", + "blake3", + "crystalsDilithium", + "crystalsKyber", + "falcon", + "md2", + "md4", + "md5", + "md6", + "other", + "sha1", + "sha224", + "sha256", + "sha384", + "sha3_224", + "sha3_256", + "sha3_384", + "sha3_512", + "sha512" + ] }, "prop_PackageVerificationCode_hashValue": { - "type": "string" + "type": "string" }, "prop_PackageVerificationCode_packageVerificationCodeExcludedFile": { - "type": "string" + "type": "string" }, "PositiveIntegerRange": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "PositiveIntegerRange" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "PositiveIntegerRange" } }, - { "$ref": "#/$defs/PositiveIntegerRange_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/PositiveIntegerRange_props" } + ] + }, + "else": { + "const": "Not a PositiveIntegerRange" + } }, "PositiveIntegerRange_derived": { "anyOf": [ @@ -1455,28 +1639,38 @@ ] }, "prop_PositiveIntegerRange_beginIntegerRange": { - "type": "integer", - "minimum": 1 + "type": "integer", + "minimum": 1 }, "prop_PositiveIntegerRange_endIntegerRange": { - "type": "integer", - "minimum": 1 + "type": "integer", + "minimum": 1 }, "PresenceType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "PresenceType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "PresenceType" } }, - { "$ref": "#/$defs/PresenceType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/PresenceType_props" } + ] + }, + "else": { + "const": "Not a PresenceType" + } }, "PresenceType_derived": { "anyOf": [ @@ -1504,20 +1698,30 @@ ] }, "ProfileIdentifierType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "ProfileIdentifierType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "ProfileIdentifierType" } }, - { "$ref": "#/$defs/ProfileIdentifierType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/ProfileIdentifierType_props" } + ] + }, + "else": { + "const": "Not a ProfileIdentifierType" + } }, "ProfileIdentifierType_derived": { "anyOf": [ @@ -1552,21 +1756,31 @@ ] }, "Relationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "Relationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "Relationship" + } }, - { "$ref": "#/$defs/Relationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/Relationship_props" } + ] + }, + "else": { + "const": "Not a Relationship" + } }, "Relationship_derived": { "anyOf": [ @@ -1613,7 +1827,7 @@ "$ref": "#/$defs/prop_Relationship_startTime" }, "to": { - "oneOf": [ + "anyOf": [ { "type": "array", "minItems": 1, @@ -1633,118 +1847,128 @@ ] }, "prop_Relationship_completeness": { - "enum": [ - "complete", - "incomplete", - "noAssertion" - ] + "enum": [ + "complete", + "incomplete", + "noAssertion" + ] }, "prop_Relationship_endTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_Relationship_from_": { - "$ref": "#/$defs/Element_derived" + "$ref": "#/$defs/Element_derived" }, "prop_Relationship_relationshipType": { - "enum": [ - "affects", - "amendedBy", - "ancestorOf", - "availableFrom", - "configures", - "contains", - "coordinatedBy", - "copiedTo", - "delegatedTo", - "dependsOn", - "descendantOf", - "describes", - "doesNotAffect", - "expandsTo", - "exploitCreatedBy", - "fixedBy", - "fixedIn", - "foundBy", - "generates", - "hasAddedFile", - "hasAssessmentFor", - "hasAssociatedVulnerability", - "hasConcludedLicense", - "hasDataFile", - "hasDeclaredLicense", - "hasDeletedFile", - "hasDependencyManifest", - "hasDistributionArtifact", - "hasDocumentation", - "hasDynamicLink", - "hasEvidence", - "hasExample", - "hasHost", - "hasInput", - "hasMetadata", - "hasOptionalComponent", - "hasOptionalDependency", - "hasOutput", - "hasPrerequisite", - "hasProvidedDependency", - "hasRequirement", - "hasSpecification", - "hasStaticLink", - "hasTest", - "hasTestCase", - "hasVariant", - "invokedBy", - "modifiedBy", - "other", - "packagedBy", - "patchedBy", - "publishedBy", - "reportedBy", - "republishedBy", - "serializedInArtifact", - "testedOn", - "trainedOn", - "underInvestigationFor", - "usesTool" - ] + "enum": [ + "affects", + "amendedBy", + "ancestorOf", + "availableFrom", + "configures", + "contains", + "coordinatedBy", + "copiedTo", + "delegatedTo", + "dependsOn", + "descendantOf", + "describes", + "doesNotAffect", + "expandsTo", + "exploitCreatedBy", + "fixedBy", + "fixedIn", + "foundBy", + "generates", + "hasAddedFile", + "hasAssessmentFor", + "hasAssociatedVulnerability", + "hasConcludedLicense", + "hasDataFile", + "hasDeclaredLicense", + "hasDeletedFile", + "hasDependencyManifest", + "hasDistributionArtifact", + "hasDocumentation", + "hasDynamicLink", + "hasEvidence", + "hasExample", + "hasHost", + "hasInput", + "hasMetadata", + "hasOptionalComponent", + "hasOptionalDependency", + "hasOutput", + "hasPrerequisite", + "hasProvidedDependency", + "hasRequirement", + "hasSpecification", + "hasStaticLink", + "hasTest", + "hasTestCase", + "hasVariant", + "invokedBy", + "modifiedBy", + "other", + "packagedBy", + "patchedBy", + "publishedBy", + "reportedBy", + "republishedBy", + "serializedInArtifact", + "testedOn", + "trainedOn", + "underInvestigationFor", + "usesTool" + ] }, "prop_Relationship_startTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_Relationship_to": { - "$ref": "#/$defs/Element_derived" + "$ref": "#/$defs/Element_derived" }, "RelationshipCompleteness": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "RelationshipCompleteness" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "RelationshipCompleteness" } }, - { "$ref": "#/$defs/RelationshipCompleteness_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/RelationshipCompleteness_props" } + ] + }, + "else": { + "const": "Not a RelationshipCompleteness" + } }, "RelationshipCompleteness_derived": { "anyOf": [ @@ -1772,20 +1996,30 @@ ] }, "RelationshipType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "RelationshipType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "RelationshipType" } }, - { "$ref": "#/$defs/RelationshipType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/RelationshipType_props" } + ] + }, + "else": { + "const": "Not a RelationshipType" + } }, "RelationshipType_derived": { "anyOf": [ @@ -1869,21 +2103,31 @@ ] }, "SpdxDocument": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "SpdxDocument" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "SpdxDocument" + } }, - { "$ref": "#/$defs/SpdxDocument_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/SpdxDocument_props" } + ] + }, + "else": { + "const": "Not a SpdxDocument" + } }, "SpdxDocument_derived": { "anyOf": [ @@ -1907,7 +2151,7 @@ "$ref": "#/$defs/prop_SpdxDocument_dataLicense" }, "import": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -1917,7 +2161,7 @@ ] }, "namespaceMap": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -1931,29 +2175,39 @@ ] }, "prop_SpdxDocument_dataLicense": { - "$ref": "#/$defs/simplelicensing_AnyLicenseInfo_derived" + "$ref": "#/$defs/simplelicensing_AnyLicenseInfo_derived" }, "prop_SpdxDocument_import_": { - "$ref": "#/$defs/ExternalMap_derived" + "$ref": "#/$defs/ExternalMap_derived" }, "prop_SpdxDocument_namespaceMap": { - "$ref": "#/$defs/NamespaceMap_derived" + "$ref": "#/$defs/NamespaceMap_derived" }, "SupportType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "SupportType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "SupportType" } }, - { "$ref": "#/$defs/SupportType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/SupportType_props" } + ] + }, + "else": { + "const": "Not a SupportType" + } }, "SupportType_derived": { "anyOf": [ @@ -1985,21 +2239,31 @@ ] }, "Tool": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "Tool" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "Tool" + } }, - { "$ref": "#/$defs/Tool_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/Tool_props" } + ] + }, + "else": { + "const": "Not a Tool" + } }, "Tool_derived": { "anyOf": [ @@ -2024,20 +2288,30 @@ ] }, "dataset_ConfidentialityLevelType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "dataset_ConfidentialityLevelType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "dataset_ConfidentialityLevelType" } }, - { "$ref": "#/$defs/dataset_ConfidentialityLevelType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/dataset_ConfidentialityLevelType_props" } + ] + }, + "else": { + "const": "Not a dataset_ConfidentialityLevelType" + } }, "dataset_ConfidentialityLevelType_derived": { "anyOf": [ @@ -2066,20 +2340,30 @@ ] }, "dataset_DatasetAvailabilityType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "dataset_DatasetAvailabilityType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "dataset_DatasetAvailabilityType" } }, - { "$ref": "#/$defs/dataset_DatasetAvailabilityType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/dataset_DatasetAvailabilityType_props" } + ] + }, + "else": { + "const": "Not a dataset_DatasetAvailabilityType" + } }, "dataset_DatasetAvailabilityType_derived": { "anyOf": [ @@ -2109,20 +2393,30 @@ ] }, "dataset_DatasetType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "dataset_DatasetType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "dataset_DatasetType" } }, - { "$ref": "#/$defs/dataset_DatasetType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/dataset_DatasetType_props" } + ] + }, + "else": { + "const": "Not a dataset_DatasetType" + } }, "dataset_DatasetType_derived": { "anyOf": [ @@ -2192,7 +2486,7 @@ "$ref": "#/$defs/prop_expandedlicensing_LicenseAddition_expandedlicensing_obsoletedBy" }, "expandedlicensing_seeAlso": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -2212,39 +2506,49 @@ ] }, "prop_expandedlicensing_LicenseAddition_expandedlicensing_additionText": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_LicenseAddition_expandedlicensing_isDeprecatedAdditionId": { - "type": "boolean" + "type": "boolean" }, "prop_expandedlicensing_LicenseAddition_expandedlicensing_licenseXml": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_LicenseAddition_expandedlicensing_obsoletedBy": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_LicenseAddition_expandedlicensing_seeAlso": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_expandedlicensing_LicenseAddition_expandedlicensing_standardAdditionTemplate": { - "type": "string" + "type": "string" }, "expandedlicensing_ListedLicenseException": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_ListedLicenseException" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_ListedLicenseException" + } }, - { "$ref": "#/$defs/expandedlicensing_ListedLicenseException_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_ListedLicenseException_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_ListedLicenseException" + } }, "expandedlicensing_ListedLicenseException_derived": { "anyOf": [ @@ -2275,26 +2579,36 @@ ] }, "prop_expandedlicensing_ListedLicenseException_expandedlicensing_deprecatedVersion": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_ListedLicenseException_expandedlicensing_listVersionAdded": { - "type": "string" + "type": "string" }, "extension_CdxPropertyEntry": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "extension_CdxPropertyEntry" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "extension_CdxPropertyEntry" } }, - { "$ref": "#/$defs/extension_CdxPropertyEntry_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/extension_CdxPropertyEntry_props" } + ] + }, + "else": { + "const": "Not a extension_CdxPropertyEntry" + } }, "extension_CdxPropertyEntry_derived": { "anyOf": [ @@ -2328,28 +2642,40 @@ ] }, "prop_extension_CdxPropertyEntry_extension_cdxPropName": { - "type": "string" + "type": "string" }, "prop_extension_CdxPropertyEntry_extension_cdxPropValue": { - "type": "string" + "type": "string" }, "extension_Extension": { - "allOf": [ - { - "type": "object", - "unevaluatedProperties": true, - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "allOf": [ - { "$ref": "#/$defs/IRI" }, - { "not": { "const": "extension_Extension" } } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "allOf": [ + { "$ref": "#/$defs/IRI" }, + { "not": { "const": "extension_Extension" } } + ] } }, - { "$ref": "#/$defs/extension_Extension_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "unevaluatedProperties": true, + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/extension_Extension_props" } + ] + }, + "else": { + "const": "Not a extension_Extension" + } }, "extension_Extension_derived": { "anyOf": [ @@ -2374,20 +2700,30 @@ ] }, "security_CvssSeverityType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "security_CvssSeverityType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_CvssSeverityType" } }, - { "$ref": "#/$defs/security_CvssSeverityType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/security_CvssSeverityType_props" } + ] + }, + "else": { + "const": "Not a security_CvssSeverityType" + } }, "security_CvssSeverityType_derived": { "anyOf": [ @@ -2417,20 +2753,30 @@ ] }, "security_ExploitCatalogType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "security_ExploitCatalogType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_ExploitCatalogType" } }, - { "$ref": "#/$defs/security_ExploitCatalogType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/security_ExploitCatalogType_props" } + ] + }, + "else": { + "const": "Not a security_ExploitCatalogType" + } }, "security_ExploitCatalogType_derived": { "anyOf": [ @@ -2457,20 +2803,30 @@ ] }, "security_SsvcDecisionType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "security_SsvcDecisionType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_SsvcDecisionType" } }, - { "$ref": "#/$defs/security_SsvcDecisionType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/security_SsvcDecisionType_props" } + ] + }, + "else": { + "const": "Not a security_SsvcDecisionType" + } }, "security_SsvcDecisionType_derived": { "anyOf": [ @@ -2499,20 +2855,30 @@ ] }, "security_VexJustificationType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "security_VexJustificationType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_VexJustificationType" } }, - { "$ref": "#/$defs/security_VexJustificationType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/security_VexJustificationType_props" } + ] + }, + "else": { + "const": "Not a security_VexJustificationType" + } }, "security_VexJustificationType_derived": { "anyOf": [ @@ -2588,43 +2954,43 @@ ] }, "prop_security_VulnAssessmentRelationship_suppliedBy": { - "$ref": "#/$defs/Agent_derived" + "$ref": "#/$defs/Agent_derived" }, "prop_security_VulnAssessmentRelationship_security_assessedElement": { - "$ref": "#/$defs/software_SoftwareArtifact_derived" + "$ref": "#/$defs/software_SoftwareArtifact_derived" }, "prop_security_VulnAssessmentRelationship_security_modifiedTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_security_VulnAssessmentRelationship_security_publishedTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_security_VulnAssessmentRelationship_security_withdrawnTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "simplelicensing_AnyLicenseInfo_derived": { "anyOf": [ @@ -2658,21 +3024,31 @@ ] }, "simplelicensing_LicenseExpression": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "simplelicensing_LicenseExpression" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "simplelicensing_LicenseExpression" + } }, - { "$ref": "#/$defs/simplelicensing_LicenseExpression_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/simplelicensing_LicenseExpression_props" } + ] + }, + "else": { + "const": "Not a simplelicensing_LicenseExpression" + } }, "simplelicensing_LicenseExpression_derived": { "anyOf": [ @@ -2693,7 +3069,7 @@ "type": "object", "properties": { "simplelicensing_customIdToUri": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -2716,31 +3092,41 @@ ] }, "prop_simplelicensing_LicenseExpression_simplelicensing_customIdToUri": { - "$ref": "#/$defs/DictionaryEntry_derived" + "$ref": "#/$defs/DictionaryEntry_derived" }, "prop_simplelicensing_LicenseExpression_simplelicensing_licenseExpression": { - "type": "string" + "type": "string" }, "prop_simplelicensing_LicenseExpression_simplelicensing_licenseListVersion": { - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", - "type": "string" + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$", + "type": "string" }, "simplelicensing_SimpleLicensingText": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "simplelicensing_SimpleLicensingText" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "simplelicensing_SimpleLicensingText" + } }, - { "$ref": "#/$defs/simplelicensing_SimpleLicensingText_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/simplelicensing_SimpleLicensingText_props" } + ] + }, + "else": { + "const": "Not a simplelicensing_SimpleLicensingText" + } }, "simplelicensing_SimpleLicensingText_derived": { "anyOf": [ @@ -2771,23 +3157,33 @@ ] }, "prop_simplelicensing_SimpleLicensingText_simplelicensing_licenseText": { - "type": "string" + "type": "string" }, "software_ContentIdentifier": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "software_ContentIdentifier" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_ContentIdentifier" } }, - { "$ref": "#/$defs/software_ContentIdentifier_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/software_ContentIdentifier_props" } + ] + }, + "else": { + "const": "Not a software_ContentIdentifier" + } }, "software_ContentIdentifier_derived": { "anyOf": [ @@ -2822,29 +3218,39 @@ ] }, "prop_software_ContentIdentifier_software_contentIdentifierType": { - "enum": [ - "gitoid", - "swhid" - ] + "enum": [ + "gitoid", + "swhid" + ] }, "prop_software_ContentIdentifier_software_contentIdentifierValue": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "software_ContentIdentifierType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "software_ContentIdentifierType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_ContentIdentifierType" } }, - { "$ref": "#/$defs/software_ContentIdentifierType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/software_ContentIdentifierType_props" } + ] + }, + "else": { + "const": "Not a software_ContentIdentifierType" + } }, "software_ContentIdentifierType_derived": { "anyOf": [ @@ -2871,20 +3277,30 @@ ] }, "software_FileKindType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "software_FileKindType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_FileKindType" } }, - { "$ref": "#/$defs/software_FileKindType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/software_FileKindType_props" } + ] + }, + "else": { + "const": "Not a software_FileKindType" + } }, "software_FileKindType_derived": { "anyOf": [ @@ -2911,20 +3327,30 @@ ] }, "software_SbomType": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "software_SbomType" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_SbomType" } }, - { "$ref": "#/$defs/software_SbomType_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/software_SbomType_props" } + ] + }, + "else": { + "const": "Not a software_SbomType" + } }, "software_SbomType_derived": { "anyOf": [ @@ -2955,20 +3381,30 @@ ] }, "software_SoftwarePurpose": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "software_SoftwarePurpose" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_SoftwarePurpose" } }, - { "$ref": "#/$defs/software_SoftwarePurpose_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/software_SoftwarePurpose_props" } + ] + }, + "else": { + "const": "Not a software_SoftwarePurpose" + } }, "software_SoftwarePurpose_derived": { "anyOf": [ @@ -3022,21 +3458,31 @@ ] }, "build_Build": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "build_Build" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "build_Build" + } }, - { "$ref": "#/$defs/build_Build_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/build_Build_props" } + ] + }, + "else": { + "const": "Not a build_Build" + } }, "build_Build_derived": { "anyOf": [ @@ -3069,7 +3515,7 @@ "$ref": "#/$defs/prop_build_Build_build_buildType" }, "build_configSourceDigest": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3079,7 +3525,7 @@ ] }, "build_configSourceEntrypoint": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3089,7 +3535,7 @@ ] }, "build_configSourceUri": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3099,7 +3545,7 @@ ] }, "build_environment": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3109,7 +3555,7 @@ ] }, "build_parameter": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3126,64 +3572,74 @@ ] }, "prop_build_Build_build_buildEndTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_build_Build_build_buildId": { - "type": "string" + "type": "string" }, "prop_build_Build_build_buildStartTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_build_Build_build_buildType": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_build_Build_build_configSourceDigest": { - "$ref": "#/$defs/Hash_derived" + "$ref": "#/$defs/Hash_derived" }, "prop_build_Build_build_configSourceEntrypoint": { - "type": "string" + "type": "string" }, "prop_build_Build_build_configSourceUri": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_build_Build_build_environment": { - "$ref": "#/$defs/DictionaryEntry_derived" + "$ref": "#/$defs/DictionaryEntry_derived" }, "prop_build_Build_build_parameter": { - "$ref": "#/$defs/DictionaryEntry_derived" + "$ref": "#/$defs/DictionaryEntry_derived" }, "Agent": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "Agent" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "Agent" + } }, - { "$ref": "#/$defs/Agent_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/Agent_props" } + ] + }, + "else": { + "const": "Not a Agent" + } }, "Agent_derived": { "anyOf": [ @@ -3212,21 +3668,31 @@ ] }, "Annotation": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "Annotation" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "Annotation" + } }, - { "$ref": "#/$defs/Annotation_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/Annotation_props" } + ] + }, + "else": { + "const": "Not a Annotation" + } }, "Annotation_derived": { "anyOf": [ @@ -3267,20 +3733,20 @@ ] }, "prop_Annotation_annotationType": { - "enum": [ - "other", - "review" - ] + "enum": [ + "other", + "review" + ] }, "prop_Annotation_contentType": { - "pattern": "^[^\\/]+\\/[^\\/]+$", - "type": "string" + "pattern": "^[^\\/]+\\/[^\\/]+$", + "type": "string" }, "prop_Annotation_statement": { - "type": "string" + "type": "string" }, "prop_Annotation_subject": { - "$ref": "#/$defs/Element_derived" + "$ref": "#/$defs/Element_derived" }, "Artifact_derived": { "anyOf": [ @@ -3309,7 +3775,7 @@ "$ref": "#/$defs/prop_Artifact_builtTime" }, "originatedBy": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3322,7 +3788,7 @@ "$ref": "#/$defs/prop_Artifact_releaseTime" }, "standardName": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3335,7 +3801,7 @@ "$ref": "#/$defs/prop_Artifact_suppliedBy" }, "supportLevel": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3352,75 +3818,85 @@ ] }, "prop_Artifact_builtTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_Artifact_originatedBy": { - "$ref": "#/$defs/Agent_derived" + "$ref": "#/$defs/Agent_derived" }, "prop_Artifact_releaseTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_Artifact_standardName": { - "type": "string" + "type": "string" }, "prop_Artifact_suppliedBy": { - "$ref": "#/$defs/Agent_derived" + "$ref": "#/$defs/Agent_derived" }, "prop_Artifact_supportLevel": { - "enum": [ - "deployed", - "development", - "endOfSupport", - "limitedSupport", - "noAssertion", - "noSupport", - "support" - ] + "enum": [ + "deployed", + "development", + "endOfSupport", + "limitedSupport", + "noAssertion", + "noSupport", + "support" + ] }, "prop_Artifact_validUntilTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] - }, - "Bundle": { + "type": "string", "allOf": [ { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "Bundle" } - ] - } - }, - "required": ["spdxId"] + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" }, - { "$ref": "#/$defs/Bundle_props" } + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } ] }, + "Bundle": { + "if": { + "type": "object", + "properties": { + "type": { + "const": "Bundle" + } + }, + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/Bundle_props" } + ] + }, + "else": { + "const": "Not a Bundle" + } + }, "Bundle_derived": { "anyOf": [ { @@ -3449,23 +3925,33 @@ ] }, "prop_Bundle_context": { - "type": "string" + "type": "string" }, "Hash": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "Hash" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "Hash" } }, - { "$ref": "#/$defs/Hash_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/Hash_props" } + ] + }, + "else": { + "const": "Not a Hash" + } }, "Hash_derived": { "anyOf": [ @@ -3500,50 +3986,60 @@ ] }, "prop_Hash_algorithm": { - "enum": [ - "adler32", - "blake2b256", - "blake2b384", - "blake2b512", - "blake3", - "crystalsDilithium", - "crystalsKyber", - "falcon", - "md2", - "md4", - "md5", - "md6", - "other", - "sha1", - "sha224", - "sha256", - "sha384", - "sha3_224", - "sha3_256", - "sha3_384", - "sha3_512", - "sha512" - ] + "enum": [ + "adler32", + "blake2b256", + "blake2b384", + "blake2b512", + "blake3", + "crystalsDilithium", + "crystalsKyber", + "falcon", + "md2", + "md4", + "md5", + "md6", + "other", + "sha1", + "sha224", + "sha256", + "sha384", + "sha3_224", + "sha3_256", + "sha3_384", + "sha3_512", + "sha512" + ] }, "prop_Hash_hashValue": { - "type": "string" + "type": "string" }, "LifecycleScopedRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "LifecycleScopedRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "LifecycleScopedRelationship" + } }, - { "$ref": "#/$defs/LifecycleScopedRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/LifecycleScopedRelationship_props" } + ] + }, + "else": { + "const": "Not a LifecycleScopedRelationship" + } }, "LifecycleScopedRelationship_derived": { "anyOf": [ @@ -3571,31 +4067,41 @@ ] }, "prop_LifecycleScopedRelationship_scope": { - "enum": [ - "build", - "design", - "development", - "other", - "runtime", - "test" - ] + "enum": [ + "build", + "design", + "development", + "other", + "runtime", + "test" + ] }, "Organization": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "Organization" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "Organization" + } }, - { "$ref": "#/$defs/Organization_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/Organization_props" } + ] + }, + "else": { + "const": "Not a Organization" + } }, "Organization_derived": { "anyOf": [ @@ -3621,21 +4127,31 @@ ] }, "Person": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "Person" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "Person" + } }, - { "$ref": "#/$defs/Person_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/Person_props" } + ] + }, + "else": { + "const": "Not a Person" + } }, "Person_derived": { "anyOf": [ @@ -3660,21 +4176,31 @@ ] }, "SoftwareAgent": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "SoftwareAgent" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "SoftwareAgent" + } }, - { "$ref": "#/$defs/SoftwareAgent_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/SoftwareAgent_props" } + ] + }, + "else": { + "const": "Not a SoftwareAgent" + } }, "SoftwareAgent_derived": { "anyOf": [ @@ -3699,21 +4225,31 @@ ] }, "expandedlicensing_ConjunctiveLicenseSet": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_ConjunctiveLicenseSet" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_ConjunctiveLicenseSet" + } }, - { "$ref": "#/$defs/expandedlicensing_ConjunctiveLicenseSet_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_ConjunctiveLicenseSet_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_ConjunctiveLicenseSet" + } }, "expandedlicensing_ConjunctiveLicenseSet_derived": { "anyOf": [ @@ -3734,7 +4270,7 @@ "type": "object", "properties": { "expandedlicensing_member": { - "oneOf": [ + "anyOf": [ { "type": "array", "minItems": 2, @@ -3752,24 +4288,34 @@ ] }, "prop_expandedlicensing_ConjunctiveLicenseSet_expandedlicensing_member": { - "$ref": "#/$defs/simplelicensing_AnyLicenseInfo_derived" + "$ref": "#/$defs/simplelicensing_AnyLicenseInfo_derived" }, "expandedlicensing_CustomLicenseAddition": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_CustomLicenseAddition" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_CustomLicenseAddition" + } }, - { "$ref": "#/$defs/expandedlicensing_CustomLicenseAddition_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_CustomLicenseAddition_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_CustomLicenseAddition" + } }, "expandedlicensing_CustomLicenseAddition_derived": { "anyOf": [ @@ -3794,21 +4340,31 @@ ] }, "expandedlicensing_DisjunctiveLicenseSet": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_DisjunctiveLicenseSet" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_DisjunctiveLicenseSet" + } }, - { "$ref": "#/$defs/expandedlicensing_DisjunctiveLicenseSet_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_DisjunctiveLicenseSet_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_DisjunctiveLicenseSet" + } }, "expandedlicensing_DisjunctiveLicenseSet_derived": { "anyOf": [ @@ -3829,7 +4385,7 @@ "type": "object", "properties": { "expandedlicensing_member": { - "oneOf": [ + "anyOf": [ { "type": "array", "minItems": 2, @@ -3847,7 +4403,7 @@ ] }, "prop_expandedlicensing_DisjunctiveLicenseSet_expandedlicensing_member": { - "$ref": "#/$defs/simplelicensing_AnyLicenseInfo_derived" + "$ref": "#/$defs/simplelicensing_AnyLicenseInfo_derived" }, "expandedlicensing_ExtendableLicense_derived": { "anyOf": [ @@ -3874,21 +4430,31 @@ ] }, "expandedlicensing_IndividualLicensingInfo": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_IndividualLicensingInfo" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_IndividualLicensingInfo" + } }, - { "$ref": "#/$defs/expandedlicensing_IndividualLicensingInfo_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_IndividualLicensingInfo_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_IndividualLicensingInfo" + } }, "expandedlicensing_IndividualLicensingInfo_derived": { "anyOf": [ @@ -3949,7 +4515,7 @@ "$ref": "#/$defs/prop_expandedlicensing_License_expandedlicensing_obsoletedBy" }, "expandedlicensing_seeAlso": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -3975,48 +4541,58 @@ ] }, "prop_expandedlicensing_License_expandedlicensing_isDeprecatedLicenseId": { - "type": "boolean" + "type": "boolean" }, "prop_expandedlicensing_License_expandedlicensing_isFsfLibre": { - "type": "boolean" + "type": "boolean" }, "prop_expandedlicensing_License_expandedlicensing_isOsiApproved": { - "type": "boolean" + "type": "boolean" }, "prop_expandedlicensing_License_expandedlicensing_licenseXml": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_License_expandedlicensing_obsoletedBy": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_License_expandedlicensing_seeAlso": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_expandedlicensing_License_expandedlicensing_standardLicenseHeader": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_License_expandedlicensing_standardLicenseTemplate": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_License_simplelicensing_licenseText": { - "type": "string" + "type": "string" }, "expandedlicensing_ListedLicense": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_ListedLicense" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_ListedLicense" + } }, - { "$ref": "#/$defs/expandedlicensing_ListedLicense_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_ListedLicense_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_ListedLicense" + } }, "expandedlicensing_ListedLicense_derived": { "anyOf": [ @@ -4047,27 +4623,37 @@ ] }, "prop_expandedlicensing_ListedLicense_expandedlicensing_deprecatedVersion": { - "type": "string" + "type": "string" }, "prop_expandedlicensing_ListedLicense_expandedlicensing_listVersionAdded": { - "type": "string" + "type": "string" }, "expandedlicensing_OrLaterOperator": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_OrLaterOperator" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_OrLaterOperator" + } }, - { "$ref": "#/$defs/expandedlicensing_OrLaterOperator_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_OrLaterOperator_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_OrLaterOperator" + } }, "expandedlicensing_OrLaterOperator_derived": { "anyOf": [ @@ -4098,24 +4684,34 @@ ] }, "prop_expandedlicensing_OrLaterOperator_expandedlicensing_subjectLicense": { - "$ref": "#/$defs/expandedlicensing_License_derived" + "$ref": "#/$defs/expandedlicensing_License_derived" }, "expandedlicensing_WithAdditionOperator": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_WithAdditionOperator" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_WithAdditionOperator" + } }, - { "$ref": "#/$defs/expandedlicensing_WithAdditionOperator_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_WithAdditionOperator_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_WithAdditionOperator" + } }, "expandedlicensing_WithAdditionOperator_derived": { "anyOf": [ @@ -4150,26 +4746,36 @@ ] }, "prop_expandedlicensing_WithAdditionOperator_expandedlicensing_subjectAddition": { - "$ref": "#/$defs/expandedlicensing_LicenseAddition_derived" + "$ref": "#/$defs/expandedlicensing_LicenseAddition_derived" }, "prop_expandedlicensing_WithAdditionOperator_expandedlicensing_subjectExtendableLicense": { - "$ref": "#/$defs/expandedlicensing_ExtendableLicense_derived" + "$ref": "#/$defs/expandedlicensing_ExtendableLicense_derived" }, "extension_CdxPropertiesExtension": { - "allOf": [ - { - "type": "object", - "properties": { - "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, - "type": { - "oneOf": [ - { "const": "extension_CdxPropertiesExtension" } - ] - } + "if": { + "type": "object", + "properties": { + "type": { + "const": "extension_CdxPropertiesExtension" } }, - { "$ref": "#/$defs/extension_CdxPropertiesExtension_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "@id": { "$ref": "#/$defs/BlankNodeOrIRI" }, + "type": { "type": "string" } + } + }, + { "$ref": "#/$defs/extension_CdxPropertiesExtension_props" } + ] + }, + "else": { + "const": "Not a extension_CdxPropertiesExtension" + } }, "extension_CdxPropertiesExtension_derived": { "anyOf": [ @@ -4190,7 +4796,7 @@ "type": "object", "properties": { "extension_cdxProperty": { - "oneOf": [ + "anyOf": [ { "type": "array", "minItems": 1, @@ -4208,24 +4814,34 @@ ] }, "prop_extension_CdxPropertiesExtension_extension_cdxProperty": { - "$ref": "#/$defs/extension_CdxPropertyEntry_derived" + "$ref": "#/$defs/extension_CdxPropertyEntry_derived" }, "security_CvssV2VulnAssessmentRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_CvssV2VulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_CvssV2VulnAssessmentRelationship" + } }, - { "$ref": "#/$defs/security_CvssV2VulnAssessmentRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_CvssV2VulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_CvssV2VulnAssessmentRelationship" + } }, "security_CvssV2VulnAssessmentRelationship_derived": { "anyOf": [ @@ -4260,35 +4876,45 @@ ] }, "prop_security_CvssV2VulnAssessmentRelationship_security_score": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string", - "pattern": "^-?[0-9]+(\\.[0-9]*)?$" - } - ] + "anyOf": [ + { + "type": "number" + }, + { + "type": "string", + "pattern": "^-?[0-9]+(\\.[0-9]*)?$" + } + ] }, "prop_security_CvssV2VulnAssessmentRelationship_security_vectorString": { - "type": "string" + "type": "string" }, "security_CvssV3VulnAssessmentRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_CvssV3VulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_CvssV3VulnAssessmentRelationship" + } }, - { "$ref": "#/$defs/security_CvssV3VulnAssessmentRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_CvssV3VulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_CvssV3VulnAssessmentRelationship" + } }, "security_CvssV3VulnAssessmentRelationship_derived": { "anyOf": [ @@ -4327,44 +4953,54 @@ ] }, "prop_security_CvssV3VulnAssessmentRelationship_security_score": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string", - "pattern": "^-?[0-9]+(\\.[0-9]*)?$" - } - ] + "anyOf": [ + { + "type": "number" + }, + { + "type": "string", + "pattern": "^-?[0-9]+(\\.[0-9]*)?$" + } + ] }, "prop_security_CvssV3VulnAssessmentRelationship_security_severity": { - "enum": [ - "critical", - "high", - "low", - "medium", - "none" - ] + "enum": [ + "critical", + "high", + "low", + "medium", + "none" + ] }, "prop_security_CvssV3VulnAssessmentRelationship_security_vectorString": { - "type": "string" + "type": "string" }, "security_CvssV4VulnAssessmentRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_CvssV4VulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_CvssV4VulnAssessmentRelationship" + } }, - { "$ref": "#/$defs/security_CvssV4VulnAssessmentRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_CvssV4VulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_CvssV4VulnAssessmentRelationship" + } }, "security_CvssV4VulnAssessmentRelationship_derived": { "anyOf": [ @@ -4403,44 +5039,54 @@ ] }, "prop_security_CvssV4VulnAssessmentRelationship_security_score": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string", - "pattern": "^-?[0-9]+(\\.[0-9]*)?$" - } - ] + "anyOf": [ + { + "type": "number" + }, + { + "type": "string", + "pattern": "^-?[0-9]+(\\.[0-9]*)?$" + } + ] }, "prop_security_CvssV4VulnAssessmentRelationship_security_severity": { - "enum": [ - "critical", - "high", - "low", - "medium", - "none" - ] + "enum": [ + "critical", + "high", + "low", + "medium", + "none" + ] }, "prop_security_CvssV4VulnAssessmentRelationship_security_vectorString": { - "type": "string" + "type": "string" }, "security_EpssVulnAssessmentRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_EpssVulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_EpssVulnAssessmentRelationship" + } }, - { "$ref": "#/$defs/security_EpssVulnAssessmentRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_EpssVulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_EpssVulnAssessmentRelationship" + } }, "security_EpssVulnAssessmentRelationship_derived": { "anyOf": [ @@ -4475,44 +5121,54 @@ ] }, "prop_security_EpssVulnAssessmentRelationship_security_percentile": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string", - "pattern": "^-?[0-9]+(\\.[0-9]*)?$" - } - ] + "anyOf": [ + { + "type": "number" + }, + { + "type": "string", + "pattern": "^-?[0-9]+(\\.[0-9]*)?$" + } + ] }, "prop_security_EpssVulnAssessmentRelationship_security_probability": { - "oneOf": [ - { - "type": "number" - }, - { - "type": "string", - "pattern": "^-?[0-9]+(\\.[0-9]*)?$" - } - ] - }, - "security_ExploitCatalogVulnAssessmentRelationship": { - "allOf": [ + "anyOf": [ { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_ExploitCatalogVulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "type": "number" }, - { "$ref": "#/$defs/security_ExploitCatalogVulnAssessmentRelationship_props" } + { + "type": "string", + "pattern": "^-?[0-9]+(\\.[0-9]*)?$" + } ] }, + "security_ExploitCatalogVulnAssessmentRelationship": { + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_ExploitCatalogVulnAssessmentRelationship" + } + }, + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_ExploitCatalogVulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_ExploitCatalogVulnAssessmentRelationship" + } + }, "security_ExploitCatalogVulnAssessmentRelationship_derived": { "anyOf": [ { @@ -4550,33 +5206,43 @@ ] }, "prop_security_ExploitCatalogVulnAssessmentRelationship_security_catalogType": { - "enum": [ - "kev", - "other" - ] + "enum": [ + "kev", + "other" + ] }, "prop_security_ExploitCatalogVulnAssessmentRelationship_security_exploited": { - "type": "boolean" + "type": "boolean" }, "prop_security_ExploitCatalogVulnAssessmentRelationship_security_locator": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "security_SsvcVulnAssessmentRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_SsvcVulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_SsvcVulnAssessmentRelationship" + } }, - { "$ref": "#/$defs/security_SsvcVulnAssessmentRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_SsvcVulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_SsvcVulnAssessmentRelationship" + } }, "security_SsvcVulnAssessmentRelationship_derived": { "anyOf": [ @@ -4607,12 +5273,12 @@ ] }, "prop_security_SsvcVulnAssessmentRelationship_security_decisionType": { - "enum": [ - "act", - "attend", - "track", - "trackStar" - ] + "enum": [ + "act", + "attend", + "track", + "trackStar" + ] }, "security_VexVulnAssessmentRelationship_derived": { "anyOf": [ @@ -4646,27 +5312,37 @@ ] }, "prop_security_VexVulnAssessmentRelationship_security_statusNotes": { - "type": "string" + "type": "string" }, "prop_security_VexVulnAssessmentRelationship_security_vexVersion": { - "type": "string" + "type": "string" }, "security_Vulnerability": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_Vulnerability" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_Vulnerability" + } }, - { "$ref": "#/$defs/security_Vulnerability_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_Vulnerability_props" } + ] + }, + "else": { + "const": "Not a security_Vulnerability" + } }, "security_Vulnerability_derived": { "anyOf": [ @@ -4700,37 +5376,37 @@ ] }, "prop_security_Vulnerability_security_modifiedTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_security_Vulnerability_security_publishedTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_security_Vulnerability_security_withdrawnTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "software_SoftwareArtifact_derived": { "anyOf": [ @@ -4755,7 +5431,7 @@ "type": "object", "properties": { "software_additionalPurpose": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -4765,7 +5441,7 @@ ] }, "software_attributionText": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -4775,7 +5451,7 @@ ] }, "software_contentIdentifier": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -4795,96 +5471,106 @@ ] }, "prop_software_SoftwareArtifact_software_additionalPurpose": { - "enum": [ - "application", - "archive", - "bom", - "configuration", - "container", - "data", - "device", - "deviceDriver", - "diskImage", - "documentation", - "evidence", - "executable", - "file", - "filesystemImage", - "firmware", - "framework", - "install", - "library", - "manifest", - "model", - "module", - "operatingSystem", - "other", - "patch", - "platform", - "requirement", - "source", - "specification", - "test" - ] + "enum": [ + "application", + "archive", + "bom", + "configuration", + "container", + "data", + "device", + "deviceDriver", + "diskImage", + "documentation", + "evidence", + "executable", + "file", + "filesystemImage", + "firmware", + "framework", + "install", + "library", + "manifest", + "model", + "module", + "operatingSystem", + "other", + "patch", + "platform", + "requirement", + "source", + "specification", + "test" + ] }, "prop_software_SoftwareArtifact_software_attributionText": { - "type": "string" + "type": "string" }, "prop_software_SoftwareArtifact_software_contentIdentifier": { - "$ref": "#/$defs/software_ContentIdentifier_derived" + "$ref": "#/$defs/software_ContentIdentifier_derived" }, "prop_software_SoftwareArtifact_software_copyrightText": { - "type": "string" + "type": "string" }, "prop_software_SoftwareArtifact_software_primaryPurpose": { - "enum": [ - "application", - "archive", - "bom", - "configuration", - "container", - "data", - "device", - "deviceDriver", - "diskImage", - "documentation", - "evidence", - "executable", - "file", - "filesystemImage", - "firmware", - "framework", - "install", - "library", - "manifest", - "model", - "module", - "operatingSystem", - "other", - "patch", - "platform", - "requirement", - "source", - "specification", - "test" - ] + "enum": [ + "application", + "archive", + "bom", + "configuration", + "container", + "data", + "device", + "deviceDriver", + "diskImage", + "documentation", + "evidence", + "executable", + "file", + "filesystemImage", + "firmware", + "framework", + "install", + "library", + "manifest", + "model", + "module", + "operatingSystem", + "other", + "patch", + "platform", + "requirement", + "source", + "specification", + "test" + ] }, "Bom": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "Bom" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "Bom" + } }, - { "$ref": "#/$defs/Bom_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/Bom_props" } + ] + }, + "else": { + "const": "Not a Bom" + } }, "Bom_derived": { "anyOf": [ @@ -4910,21 +5596,31 @@ ] }, "expandedlicensing_CustomLicense": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "expandedlicensing_CustomLicense" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "expandedlicensing_CustomLicense" + } }, - { "$ref": "#/$defs/expandedlicensing_CustomLicense_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/expandedlicensing_CustomLicense_props" } + ] + }, + "else": { + "const": "Not a expandedlicensing_CustomLicense" + } }, "expandedlicensing_CustomLicense_derived": { "anyOf": [ @@ -4949,21 +5645,31 @@ ] }, "security_VexAffectedVulnAssessmentRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_VexAffectedVulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_VexAffectedVulnAssessmentRelationship" + } }, - { "$ref": "#/$defs/security_VexAffectedVulnAssessmentRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_VexAffectedVulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_VexAffectedVulnAssessmentRelationship" + } }, "security_VexAffectedVulnAssessmentRelationship_derived": { "anyOf": [ @@ -4997,36 +5703,46 @@ ] }, "prop_security_VexAffectedVulnAssessmentRelationship_security_actionStatement": { - "type": "string" + "type": "string" }, "prop_security_VexAffectedVulnAssessmentRelationship_security_actionStatementTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] - }, - "security_VexFixedVulnAssessmentRelationship": { + "type": "string", "allOf": [ { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_VexFixedVulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" }, - { "$ref": "#/$defs/security_VexFixedVulnAssessmentRelationship_props" } + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } ] }, + "security_VexFixedVulnAssessmentRelationship": { + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_VexFixedVulnAssessmentRelationship" + } + }, + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_VexFixedVulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_VexFixedVulnAssessmentRelationship" + } + }, "security_VexFixedVulnAssessmentRelationship_derived": { "anyOf": [ { @@ -5050,21 +5766,31 @@ ] }, "security_VexNotAffectedVulnAssessmentRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_VexNotAffectedVulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_VexNotAffectedVulnAssessmentRelationship" + } }, - { "$ref": "#/$defs/security_VexNotAffectedVulnAssessmentRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_VexNotAffectedVulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_VexNotAffectedVulnAssessmentRelationship" + } }, "security_VexNotAffectedVulnAssessmentRelationship_derived": { "anyOf": [ @@ -5098,44 +5824,54 @@ ] }, "prop_security_VexNotAffectedVulnAssessmentRelationship_security_impactStatement": { - "type": "string" + "type": "string" }, "prop_security_VexNotAffectedVulnAssessmentRelationship_security_impactStatementTime": { - "type": "string", - "allOf": [ - { - "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" - }, - { - "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" - } - ] + "type": "string", + "allOf": [ + { + "pattern": "^[0-9]{4}-[0-1][0-9]-[0-3][0-9]T[0-2][0-9]:[0-6][0-9]:[0-6][0-9](Z|[+-][0-9]{2}:[0-9]{2})$" + }, + { + "pattern": "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" + } + ] }, "prop_security_VexNotAffectedVulnAssessmentRelationship_security_justificationType": { - "enum": [ - "componentNotPresent", - "inlineMitigationsAlreadyExist", - "vulnerableCodeCannotBeControlledByAdversary", - "vulnerableCodeNotInExecutePath", - "vulnerableCodeNotPresent" - ] + "enum": [ + "componentNotPresent", + "inlineMitigationsAlreadyExist", + "vulnerableCodeCannotBeControlledByAdversary", + "vulnerableCodeNotInExecutePath", + "vulnerableCodeNotPresent" + ] }, "security_VexUnderInvestigationVulnAssessmentRelationship": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "security_VexUnderInvestigationVulnAssessmentRelationship" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "security_VexUnderInvestigationVulnAssessmentRelationship" + } }, - { "$ref": "#/$defs/security_VexUnderInvestigationVulnAssessmentRelationship_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/security_VexUnderInvestigationVulnAssessmentRelationship_props" } + ] + }, + "else": { + "const": "Not a security_VexUnderInvestigationVulnAssessmentRelationship" + } }, "security_VexUnderInvestigationVulnAssessmentRelationship_derived": { "anyOf": [ @@ -5160,21 +5896,31 @@ ] }, "software_File": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "software_File" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_File" + } }, - { "$ref": "#/$defs/software_File_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/software_File_props" } + ] + }, + "else": { + "const": "Not a software_File" + } }, "software_File_derived": { "anyOf": [ @@ -5205,31 +5951,41 @@ ] }, "prop_software_File_contentType": { - "pattern": "^[^\\/]+\\/[^\\/]+$", - "type": "string" + "pattern": "^[^\\/]+\\/[^\\/]+$", + "type": "string" }, "prop_software_File_software_fileKind": { - "enum": [ - "directory", - "file" - ] + "enum": [ + "directory", + "file" + ] }, "software_Package": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "software_Package" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_Package" + } }, - { "$ref": "#/$defs/software_Package_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/software_Package_props" } + ] + }, + "else": { + "const": "Not a software_Package" + } }, "software_Package_derived": { "anyOf": [ @@ -5271,36 +6027,46 @@ ] }, "prop_software_Package_software_downloadLocation": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_software_Package_software_homePage": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_software_Package_software_packageUrl": { - "$ref": "#/$defs/anyURI" + "$ref": "#/$defs/anyURI" }, "prop_software_Package_software_packageVersion": { - "type": "string" + "type": "string" }, "prop_software_Package_software_sourceInfo": { - "type": "string" + "type": "string" }, "software_Sbom": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "software_Sbom" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_Sbom" + } }, - { "$ref": "#/$defs/software_Sbom_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/software_Sbom_props" } + ] + }, + "else": { + "const": "Not a software_Sbom" + } }, "software_Sbom_derived": { "anyOf": [ @@ -5321,7 +6087,7 @@ "type": "object", "properties": { "software_sbomType": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5335,31 +6101,41 @@ ] }, "prop_software_Sbom_software_sbomType": { - "enum": [ - "analyzed", - "build", - "deployed", - "design", - "runtime", - "source" - ] + "enum": [ + "analyzed", + "build", + "deployed", + "design", + "runtime", + "source" + ] }, "software_Snippet": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "software_Snippet" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "software_Snippet" + } }, - { "$ref": "#/$defs/software_Snippet_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/software_Snippet_props" } + ] + }, + "else": { + "const": "Not a software_Snippet" + } }, "software_Snippet_derived": { "anyOf": [ @@ -5396,30 +6172,40 @@ ] }, "prop_software_Snippet_software_byteRange": { - "$ref": "#/$defs/PositiveIntegerRange_derived" + "$ref": "#/$defs/PositiveIntegerRange_derived" }, "prop_software_Snippet_software_lineRange": { - "$ref": "#/$defs/PositiveIntegerRange_derived" + "$ref": "#/$defs/PositiveIntegerRange_derived" }, "prop_software_Snippet_software_snippetFromFile": { - "$ref": "#/$defs/software_File_derived" + "$ref": "#/$defs/software_File_derived" }, "ai_AIPackage": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "ai_AIPackage" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "ai_AIPackage" + } }, - { "$ref": "#/$defs/ai_AIPackage_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/ai_AIPackage_props" } + ] + }, + "else": { + "const": "Not a ai_AIPackage" + } }, "ai_AIPackage_derived": { "anyOf": [ @@ -5443,7 +6229,7 @@ "$ref": "#/$defs/prop_ai_AIPackage_ai_autonomyType" }, "ai_domain": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5456,7 +6242,7 @@ "$ref": "#/$defs/prop_ai_AIPackage_ai_energyConsumption" }, "ai_hyperparameter": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5475,7 +6261,7 @@ "$ref": "#/$defs/prop_ai_AIPackage_ai_limitation" }, "ai_metric": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5485,7 +6271,7 @@ ] }, "ai_metricDecisionThreshold": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5495,7 +6281,7 @@ ] }, "ai_modelDataPreprocessing": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5505,7 +6291,7 @@ ] }, "ai_modelExplainability": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5518,7 +6304,7 @@ "$ref": "#/$defs/prop_ai_AIPackage_ai_safetyRiskAssessment" }, "ai_standardCompliance": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5528,7 +6314,7 @@ ] }, "ai_typeOfModel": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5545,79 +6331,89 @@ ] }, "prop_ai_AIPackage_ai_autonomyType": { - "enum": [ - "no", - "noAssertion", - "yes" - ] + "enum": [ + "no", + "noAssertion", + "yes" + ] }, "prop_ai_AIPackage_ai_domain": { - "type": "string" + "type": "string" }, "prop_ai_AIPackage_ai_energyConsumption": { - "$ref": "#/$defs/ai_EnergyConsumption_derived" + "$ref": "#/$defs/ai_EnergyConsumption_derived" }, "prop_ai_AIPackage_ai_hyperparameter": { - "$ref": "#/$defs/DictionaryEntry_derived" + "$ref": "#/$defs/DictionaryEntry_derived" }, "prop_ai_AIPackage_ai_informationAboutApplication": { - "type": "string" + "type": "string" }, "prop_ai_AIPackage_ai_informationAboutTraining": { - "type": "string" + "type": "string" }, "prop_ai_AIPackage_ai_limitation": { - "type": "string" + "type": "string" }, "prop_ai_AIPackage_ai_metric": { - "$ref": "#/$defs/DictionaryEntry_derived" + "$ref": "#/$defs/DictionaryEntry_derived" }, "prop_ai_AIPackage_ai_metricDecisionThreshold": { - "$ref": "#/$defs/DictionaryEntry_derived" + "$ref": "#/$defs/DictionaryEntry_derived" }, "prop_ai_AIPackage_ai_modelDataPreprocessing": { - "type": "string" + "type": "string" }, "prop_ai_AIPackage_ai_modelExplainability": { - "type": "string" + "type": "string" }, "prop_ai_AIPackage_ai_safetyRiskAssessment": { - "enum": [ - "high", - "low", - "medium", - "serious" - ] + "enum": [ + "high", + "low", + "medium", + "serious" + ] }, "prop_ai_AIPackage_ai_standardCompliance": { - "type": "string" + "type": "string" }, "prop_ai_AIPackage_ai_typeOfModel": { - "type": "string" + "type": "string" }, "prop_ai_AIPackage_ai_useSensitivePersonalInformation": { - "enum": [ - "no", - "noAssertion", - "yes" - ] + "enum": [ + "no", + "noAssertion", + "yes" + ] }, "dataset_DatasetPackage": { - "allOf": [ - { - "type": "object", - "properties": { - "spdxId": { "$ref": "#/$defs/IRI" }, - "type": { - "oneOf": [ - { "const": "dataset_DatasetPackage" } - ] - } - }, - "required": ["spdxId"] + "if": { + "type": "object", + "properties": { + "type": { + "const": "dataset_DatasetPackage" + } }, - { "$ref": "#/$defs/dataset_DatasetPackage_props" } - ] + "required": ["type"] + }, + "then": { + "allOf": [ + { + "type": "object", + "properties": { + "spdxId": { "$ref": "#/$defs/IRI" }, + "type": { "type": "string" } + }, + "required": ["spdxId"] + }, + { "$ref": "#/$defs/dataset_DatasetPackage_props" } + ] + }, + "else": { + "const": "Not a dataset_DatasetPackage" + } }, "dataset_DatasetPackage_derived": { "anyOf": [ @@ -5638,7 +6434,7 @@ "type": "object", "properties": { "dataset_anonymizationMethodUsed": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5654,7 +6450,7 @@ "$ref": "#/$defs/prop_dataset_DatasetPackage_dataset_dataCollectionProcess" }, "dataset_dataPreprocessing": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5673,7 +6469,7 @@ "$ref": "#/$defs/prop_dataset_DatasetPackage_dataset_datasetSize" }, "dataset_datasetType": { - "oneOf": [ + "anyOf": [ { "type": "array", "minItems": 1, @@ -5693,7 +6489,7 @@ "$ref": "#/$defs/prop_dataset_DatasetPackage_dataset_intendedUse" }, "dataset_knownBias": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5703,7 +6499,7 @@ ] }, "dataset_sensor": { - "oneOf": [ + "anyOf": [ { "type": "array", "items": { @@ -5720,74 +6516,74 @@ ] }, "prop_dataset_DatasetPackage_dataset_anonymizationMethodUsed": { - "type": "string" + "type": "string" }, "prop_dataset_DatasetPackage_dataset_confidentialityLevel": { - "enum": [ - "amber", - "clear", - "green", - "red" - ] + "enum": [ + "amber", + "clear", + "green", + "red" + ] }, "prop_dataset_DatasetPackage_dataset_dataCollectionProcess": { - "type": "string" + "type": "string" }, "prop_dataset_DatasetPackage_dataset_dataPreprocessing": { - "type": "string" + "type": "string" }, "prop_dataset_DatasetPackage_dataset_datasetAvailability": { - "enum": [ - "clickthrough", - "directDownload", - "query", - "registration", - "scrapingScript" - ] + "enum": [ + "clickthrough", + "directDownload", + "query", + "registration", + "scrapingScript" + ] }, "prop_dataset_DatasetPackage_dataset_datasetNoise": { - "type": "string" + "type": "string" }, "prop_dataset_DatasetPackage_dataset_datasetSize": { - "type": "integer", - "minimum": 0 + "type": "integer", + "minimum": 0 }, "prop_dataset_DatasetPackage_dataset_datasetType": { - "enum": [ - "audio", - "categorical", - "graph", - "image", - "noAssertion", - "numeric", - "other", - "sensor", - "structured", - "syntactic", - "text", - "timeseries", - "timestamp", - "video" - ] + "enum": [ + "audio", + "categorical", + "graph", + "image", + "noAssertion", + "numeric", + "other", + "sensor", + "structured", + "syntactic", + "text", + "timeseries", + "timestamp", + "video" + ] }, "prop_dataset_DatasetPackage_dataset_datasetUpdateMechanism": { - "type": "string" + "type": "string" }, "prop_dataset_DatasetPackage_dataset_hasSensitivePersonalInformation": { - "enum": [ - "no", - "noAssertion", - "yes" - ] + "enum": [ + "no", + "noAssertion", + "yes" + ] }, "prop_dataset_DatasetPackage_dataset_intendedUse": { - "type": "string" + "type": "string" }, "prop_dataset_DatasetPackage_dataset_knownBias": { - "type": "string" + "type": "string" }, "prop_dataset_DatasetPackage_dataset_sensor": { - "$ref": "#/$defs/DictionaryEntry_derived" + "$ref": "#/$defs/DictionaryEntry_derived" }, "IRI": { "type": "string", @@ -5798,7 +6594,7 @@ "pattern": "^_:.+" }, "BlankNodeOrIRI": { - "oneOf": [ + "anyOf": [ { "$ref": "#/$defs/IRI" }, { "$ref": "#/$defs/BlankNode" } ] @@ -5810,7 +6606,7 @@ "type": "object", "properties": { "type": { - "oneOf": [ + "anyOf": [ { "$ref": "#/$defs/IRI" }, { "enum": [ From 5f3620a529069d544db60cc2f4161f3969a35f55 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Fri, 21 Nov 2025 14:33:20 -0800 Subject: [PATCH 38/61] Update schema to match generated schema Signed-off-by: Gary O'Neall --- resources/spdx-schema-v3.0.1.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/resources/spdx-schema-v3.0.1.json b/resources/spdx-schema-v3.0.1.json index 13f4636..bd7a3b5 100644 --- a/resources/spdx-schema-v3.0.1.json +++ b/resources/spdx-schema-v3.0.1.json @@ -603,6 +603,16 @@ } ] }, + "extension": { + "anyOf": [ + { + "type": "array", + "items": { + "$ref": "#/$defs/prop_Element_extension" + } + } + ] + }, "externalIdentifier": { "anyOf": [ { @@ -658,6 +668,9 @@ "prop_Element_extension": { "$ref": "#/$defs/extension_Extension_derived" }, + "prop_Element_extension": { + "$ref": "#/$defs/extension_Extension_derived" + }, "prop_Element_externalIdentifier": { "$ref": "#/$defs/ExternalIdentifier_derived" }, From ec1f6634d27c8f9042e0d620277a674b141837e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Dec 2025 18:12:47 +0000 Subject: [PATCH 39/61] Bump org.apache.maven.plugins:maven-source-plugin from 3.3.1 to 3.4.0 Bumps [org.apache.maven.plugins:maven-source-plugin](https://github.com/apache/maven-source-plugin) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/apache/maven-source-plugin/releases) - [Commits](https://github.com/apache/maven-source-plugin/compare/maven-source-plugin-3.3.1...maven-source-plugin-3.4.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-source-plugin dependency-version: 3.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7335130..de31612 100644 --- a/pom.xml +++ b/pom.xml @@ -60,7 +60,7 @@ org.apache.maven.plugins maven-source-plugin - 3.3.1 + 3.4.0 attach-sources From 0ce3002985543d6fb02f17127a3bb1cc3d77c974 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 3 Dec 2025 09:00:57 -0800 Subject: [PATCH 40/61] Update SPDX library versions Signed-off-by: Gary O'Neall --- pom.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index de31612..92dec7d 100644 --- a/pom.xml +++ b/pom.xml @@ -118,17 +118,17 @@ org.spdx java-spdx-library - 2.0.1 + 2.0.2 org.spdx spdx-jackson-store - 2.0.3 + 2.0.4 org.spdx spdx-rdf-store - 2.0.1 + 2.0.2 org.spdx @@ -138,12 +138,12 @@ org.spdx spdx-tagvalue-store - 2.0.1 + 2.0.2 org.spdx spdx-v3jsonld-store - 1.0.1 + 1.0.2 com.networknt From a097f097e745fd1083d8995cb88d86dbd51ae2ff Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 3 Dec 2025 09:28:43 -0800 Subject: [PATCH 41/61] [maven-release-plugin] prepare release v2.0.3 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 92dec7d..0d38483 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.spdx tools-java - 2.0.3-SNAPSHOT + 2.0.3 jar tools-java @@ -32,7 +32,7 @@ https://github.com/spdx/tools-java scm:git:git@github.com:spdx/tools-java.git scm:git:git@github.com:spdx/tools-java.git - master + v2.0.3 Github From de4734dd6d36df9002b66136117cf3859e5447c8 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 3 Dec 2025 09:28:58 -0800 Subject: [PATCH 42/61] [maven-release-plugin] prepare for next development iteration --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 0d38483..a1309e7 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.spdx tools-java - 2.0.3 + 2.0.4-SNAPSHOT jar tools-java @@ -32,7 +32,7 @@ https://github.com/spdx/tools-java scm:git:git@github.com:spdx/tools-java.git scm:git:git@github.com:spdx/tools-java.git - v2.0.3 + master Github From 77a41decbe94825424267827180ba738f8cb53cf Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Fri, 5 Dec 2025 10:23:53 -0800 Subject: [PATCH 43/61] Revert json-schema-validator version to 1.5.9 Fixes #257 Version 2.0.0 of the json-schema-validator introduces a very significant performance degredation Signed-off-by: Gary O'Neall --- .../examples/ExpandedLicenseExampleV3.java | 22 +++++++-------- .../org/spdx/examples/FullSpdxV3Example.java | 21 +++++++-------- pom.xml | 2 +- src/main/java/org/spdx/tools/Verify.java | 27 ++++++++++--------- 4 files changed, 36 insertions(+), 36 deletions(-) diff --git a/examples/org/spdx/examples/ExpandedLicenseExampleV3.java b/examples/org/spdx/examples/ExpandedLicenseExampleV3.java index 030b1b2..5b07d11 100644 --- a/examples/org/spdx/examples/ExpandedLicenseExampleV3.java +++ b/examples/org/spdx/examples/ExpandedLicenseExampleV3.java @@ -3,7 +3,7 @@ * SPDX-FileCopyrightText: Copyright (c) 2025 Source Auditor Inc. * SPDX-FileType: SOURCE * SPDX-License-Identifier: Apache-2.0 - * + *
* Example of serializing a single expanded license */ @@ -12,10 +12,10 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.SerializationFeature; -import com.networknt.schema.Error; -import com.networknt.schema.Schema; -import com.networknt.schema.SchemaRegistry; -import com.networknt.schema.SpecificationVersion; +import com.networknt.schema.JsonSchema; +import com.networknt.schema.JsonSchemaFactory; +import com.networknt.schema.SpecVersion.VersionFlag; +import com.networknt.schema.ValidationMessage; import org.spdx.core.DefaultModelStore; import org.spdx.core.IModelCopyManager; import org.spdx.library.LicenseInfoFactory; @@ -37,6 +37,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; +import java.util.Set; import static org.spdx.tools.Verify.JSON_SCHEMA_RESOURCE_V3; @@ -158,18 +159,17 @@ public static void main(String[] args) throws Exception { try (OutputStream outStream = new FileOutputStream(outFile)) { modelStore.serialize(outStream, doc); } - SchemaRegistry schemaRegistry = - SchemaRegistry.withDefaultDialect(SpecificationVersion.DRAFT_2020_12); - Schema schema; + JsonSchemaFactory jsonSchemaFactory = JsonSchemaFactory.getInstance(VersionFlag.V202012); + JsonSchema schema; try (InputStream is = Verify.class.getResourceAsStream("/" + JSON_SCHEMA_RESOURCE_V3)) { - schema = schemaRegistry.getSchema(is); + schema = jsonSchemaFactory.getSchema(is); } JsonNode root; try (InputStream is = new FileInputStream(outFile)) { root = JSON_MAPPER.readTree(is); } - List messages = schema.validate(root); - for (Error msg:messages) { + Set messages = schema.validate(root); + for (ValidationMessage msg:messages) { warnings.add(msg.toString()); } if (!warnings.isEmpty()) { diff --git a/examples/org/spdx/examples/FullSpdxV3Example.java b/examples/org/spdx/examples/FullSpdxV3Example.java index fd1b269..132b3a6 100644 --- a/examples/org/spdx/examples/FullSpdxV3Example.java +++ b/examples/org/spdx/examples/FullSpdxV3Example.java @@ -3,7 +3,7 @@ * SPDX-FileCopyrightText: Copyright (c) 2025 Source Auditor Inc. * SPDX-FileType: SOURCE * SPDX-License-Identifier: Apache-2.0 - * + *
* Full example of an SPDX document using all classes */ @@ -12,10 +12,10 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.SerializationFeature; -import com.networknt.schema.Error; -import com.networknt.schema.Schema; -import com.networknt.schema.SchemaRegistry; -import com.networknt.schema.SpecificationVersion; +import com.networknt.schema.JsonSchema; +import com.networknt.schema.JsonSchemaFactory; +import com.networknt.schema.SpecVersion.VersionFlag; +import com.networknt.schema.ValidationMessage; import org.spdx.core.DefaultModelStore; import org.spdx.core.IModelCopyManager; import org.spdx.core.InvalidSPDXAnalysisException; @@ -838,18 +838,17 @@ public static void main(String[] args) throws Exception { } // Validate using the schema - SchemaRegistry schemaRegistry = - SchemaRegistry.withDefaultDialect(SpecificationVersion.DRAFT_2020_12); - Schema schema; + JsonSchemaFactory jsonSchemaFactory = JsonSchemaFactory.getInstance(VersionFlag.V202012); + JsonSchema schema; try (InputStream is = Verify.class.getResourceAsStream("/" + JSON_SCHEMA_RESOURCE_V3)) { - schema = schemaRegistry.getSchema(is); + schema = jsonSchemaFactory.getSchema(is); } JsonNode root; try (InputStream is = new FileInputStream(outFile)) { root = JSON_MAPPER.readTree(is); } - List messages = schema.validate(root); - for (Error msg:messages) { + Set messages = schema.validate(root); + for (ValidationMessage msg:messages) { warnings.add(msg.toString()); } if (!warnings.isEmpty()) { diff --git a/pom.xml b/pom.xml index a1309e7..2034dbe 100644 --- a/pom.xml +++ b/pom.xml @@ -148,7 +148,7 @@ com.networknt json-schema-validator - 2.0.0 + 1.5.9 org.slf4j diff --git a/src/main/java/org/spdx/tools/Verify.java b/src/main/java/org/spdx/tools/Verify.java index 80b4f75..00ff30e 100644 --- a/src/main/java/org/spdx/tools/Verify.java +++ b/src/main/java/org/spdx/tools/Verify.java @@ -2,13 +2,13 @@ * SPDX-FileCopyrightText: Copyright (c) 2015 Source Auditor Inc. * SPDX-FileType: SOURCE * SPDX-License-Identifier: Apache-2.0 - * + *
* Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + *
* https://www.apache.org/licenses/LICENSE-2.0 - * + *
* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -26,6 +26,7 @@ import java.util.ArrayList; import java.util.List; import java.util.Objects; +import java.util.Set; import com.fasterxml.jackson.core.JsonParseException; @@ -39,10 +40,11 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.SerializationFeature; -import com.networknt.schema.Schema; -import com.networknt.schema.SchemaRegistry; -import com.networknt.schema.SpecificationVersion; -import com.networknt.schema.Error; + +import com.networknt.schema.JsonSchema; +import com.networknt.schema.JsonSchemaFactory; +import com.networknt.schema.SpecVersion.VersionFlag; +import com.networknt.schema.ValidationMessage; /** * Verifies an SPDX document and lists any verification errors @@ -171,18 +173,17 @@ public static List verify(String filePath, SerFileType fileType) throws } else { jsonSchemaResource = JSON_SCHEMA_RESOURCE_V3; } - SchemaRegistry schemaRegistry = - SchemaRegistry.withDefaultDialect(SpecificationVersion.DRAFT_2020_12); - Schema schema; + JsonSchemaFactory jsonSchemaFactory = JsonSchemaFactory.getInstance(VersionFlag.V202012); + JsonSchema schema; try (InputStream is = Verify.class.getResourceAsStream("/" + jsonSchemaResource)) { - schema = schemaRegistry.getSchema(is); + schema = jsonSchemaFactory.getSchema(is); } JsonNode root; try (InputStream is = new FileInputStream(file)) { root = JSON_MAPPER.readTree(is); } - List messages = schema.validate(root); - for (Error msg:messages) { + Set messages = schema.validate(root); + for (ValidationMessage msg:messages) { retval.add(msg.toString()); } } catch (IOException e) { From 93c22b84e78c74d436f88ff95c7aaa0f2bfe5eb7 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Fri, 5 Dec 2025 11:11:30 -0800 Subject: [PATCH 44/61] [maven-release-plugin] prepare release v2.0.4 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 2034dbe..d0d5684 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.spdx tools-java - 2.0.4-SNAPSHOT + 2.0.4 jar tools-java @@ -32,7 +32,7 @@ https://github.com/spdx/tools-java scm:git:git@github.com:spdx/tools-java.git scm:git:git@github.com:spdx/tools-java.git - master + v2.0.4 Github From 085d5b4c55cb4a9304ec24407734275a1d07b67f Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Fri, 5 Dec 2025 11:11:37 -0800 Subject: [PATCH 45/61] [maven-release-plugin] prepare for next development iteration --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index d0d5684..2458f23 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.spdx tools-java - 2.0.4 + 2.0.5-SNAPSHOT jar tools-java @@ -32,7 +32,7 @@ https://github.com/spdx/tools-java scm:git:git@github.com:spdx/tools-java.git scm:git:git@github.com:spdx/tools-java.git - v2.0.4 + master Github From 9bba4eb85557f3c2689da5f14d5e19a027586a8b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 16:01:09 +0000 Subject: [PATCH 46/61] Bump org.spdx:spdx-spreadsheet-store from 2.0.1 to 2.0.2 Bumps [org.spdx:spdx-spreadsheet-store](https://github.com/spdx/spdx-spreadsheet-store) from 2.0.1 to 2.0.2. - [Commits](https://github.com/spdx/spdx-spreadsheet-store/commits) --- updated-dependencies: - dependency-name: org.spdx:spdx-spreadsheet-store dependency-version: 2.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2458f23..03c021d 100644 --- a/pom.xml +++ b/pom.xml @@ -133,7 +133,7 @@ org.spdx spdx-spreadsheet-store - 2.0.1 + 2.0.2 org.spdx From a0feec8295a003077f99864ea2961365b79126ed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jan 2026 20:16:04 +0000 Subject: [PATCH 47/61] Bump org.sonatype.central:central-publishing-maven-plugin Bumps [org.sonatype.central:central-publishing-maven-plugin](https://github.com/sonatype/central-publishing-maven-plugin) from 0.9.0 to 0.10.0. - [Commits](https://github.com/sonatype/central-publishing-maven-plugin/commits) --- updated-dependencies: - dependency-name: org.sonatype.central:central-publishing-maven-plugin dependency-version: 0.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 03c021d..97cbd82 100644 --- a/pom.xml +++ b/pom.xml @@ -205,7 +205,7 @@ org.sonatype.central central-publishing-maven-plugin - 0.9.0 + 0.10.0 true central From 515493fb1bc287b95cb49cd4e53983e48f99aad6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Jan 2026 20:15:55 +0000 Subject: [PATCH 48/61] Bump org.owasp:dependency-check-maven from 12.1.9 to 12.2.0 Bumps [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck) from 12.1.9 to 12.2.0. - [Release notes](https://github.com/dependency-check/DependencyCheck/releases) - [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md) - [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.9...v12.2.0) --- updated-dependencies: - dependency-name: org.owasp:dependency-check-maven dependency-version: 12.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 97cbd82..fdf0b97 100644 --- a/pom.xml +++ b/pom.xml @@ -48,7 +48,7 @@ https://sonarcloud.io spdx tools-java - 12.1.9 + 12.2.0 11 -Xdoclint:none From 968beea74ade1ff11967b0cebb979c79c150c9a1 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Sat, 17 Jan 2026 19:08:53 -0800 Subject: [PATCH 49/61] Add sonar-maven-plugin version 5.5.0.6356 --- pom.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pom.xml b/pom.xml index fdf0b97..91625f9 100644 --- a/pom.xml +++ b/pom.xml @@ -361,6 +361,11 @@ deploy + + org.sonarsource.scanner.maven + sonar-maven-plugin + 5.5.0.6356 + From c7e8af736bff01b8f2f09bb4e71184cca209acd3 Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Sun, 18 Jan 2026 09:59:06 +0100 Subject: [PATCH 50/61] feat(docker): Improve docker build and prevent double path in naming Signed-off-by: Helio Chissini de Castro --- .github/workflows/docker_deploy.yml | 37 +++++++++++++---------------- Dockerfile | 13 ++++------ 2 files changed, 22 insertions(+), 28 deletions(-) diff --git a/.github/workflows/docker_deploy.yml b/.github/workflows/docker_deploy.yml index 55ce713..26af21c 100644 --- a/.github/workflows/docker_deploy.yml +++ b/.github/workflows/docker_deploy.yml @@ -6,9 +6,14 @@ name: Docker Build on: + workflow_dispatch: + pull_request: + paths: + - Dockerfile + - .github/workflows/docker_deploy.yml push: paths-ignore: - - "**.md" + - '**.md' tags: - 'v*' env: @@ -24,22 +29,13 @@ jobs: steps: - name: Checkout main repository - uses: actions/checkout@v3 - - - name: Set environment variables - run: | - echo "ORG_BASE_NAME=${GITHUB_REPOSITORY}" >> $GITHUB_ENV - echo "TOOLS_JAVA_VERSION=${GITHUB_REF_NAME/v/}" >> $GITHUB_ENV - - name: Echoing current version - run: | - echo "$TOOLS_JAVA_VERSION" - echo $GITHUB_REF_NAME + uses: actions/checkout@v5 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -47,19 +43,20 @@ jobs: - name: Extract components metadata id: meta_base - uses: docker/metadata-action@v4 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v51.0.0 with: - images: | - ${{ env.REGISTRY }}/${{ env.ORG_BASE_NAME }}/tools-java + tags: | + type=ref,event=tag + type=semver,pattern={{version}} + type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }} + labels: org.opencontainers.image.licenses=Apache-2.0 - name: Build Container - uses: docker/build-push-action@v3 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . - push: true + push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }} load: false - build-args: | - TOOLS_JAVA_VERSION=${{ env.TOOLS_JAVA_VERSION }} tags: | ${{ steps.meta_base.outputs.tags }} labels: ${{ steps.meta_base.outputs.labels }} diff --git a/Dockerfile b/Dockerfile index df1be6a..9b37ffb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,23 +1,21 @@ # syntax=docker/dockerfile:1.4 # Set Java versions -ARG JAVA_VERSION=17 +ARG JAVA_VERSION=21 # Use Maven eclipse Temurin based -FROM maven:3.8-eclipse-temurin-$JAVA_VERSION as build - -ARG TOOLS_JAVA_VERSION=1.1.5-SNAPSHOT +FROM maven:3.9-eclipse-temurin-$JAVA_VERSION as build WORKDIR /build # BUILD RUN --mount=type=cache,target=/root/.m2 \ --mount=type=bind,source=$PWD,target=/build,rw \ - mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent install \ + export TOOLS_JAVA_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) \ + && mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent install \ && mkdir -p /usr/lib/java/spdx \ && cp target/tools-java-$TOOLS_JAVA_VERSION-jar-with-dependencies.jar /usr/lib/java/spdx/ - # Configure the wrapper script COPY scripts/tools-java-wrapper.sh /usr/bin/tools-java @@ -25,11 +23,10 @@ COPY scripts/tools-java-wrapper.sh /usr/bin/tools-java RUN sed -i "s/@@VERSION@@/$TOOLS_JAVA_VERSION/g" /usr/bin/tools-java \ && chmod +x /usr/bin/tools-java - # Deploy image FROM eclipse-temurin:$JAVA_VERSION as run COPY --from=build /usr/lib/java/spdx /usr/lib/java/spdx COPY --from=build /usr/bin/tools-java /usr/bin/tools-java -ENTRYPOINT [ "/usr/bin/tools-java" ] \ No newline at end of file +ENTRYPOINT [ "/usr/bin/tools-java" ] From 0e188d55b7e1e03a2729f94fc81ec8e5d71a3faa Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Sun, 18 Jan 2026 11:16:14 +0100 Subject: [PATCH 51/61] feat(docker): Enable multiarch image Signed-off-by: Helio Chissini de Castro --- .github/workflows/docker_deploy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/docker_deploy.yml b/.github/workflows/docker_deploy.yml index 26af21c..f35157a 100644 --- a/.github/workflows/docker_deploy.yml +++ b/.github/workflows/docker_deploy.yml @@ -31,6 +31,9 @@ jobs: - name: Checkout main repository uses: actions/checkout@v5 + - name: Setup QEMU + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 + - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 @@ -45,6 +48,8 @@ jobs: id: meta_base uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v51.0.0 with: + images: | + ${{ env.REGISTRY }}/${{ github.repository }} tags: | type=ref,event=tag type=semver,pattern={{version}} @@ -57,6 +62,7 @@ jobs: context: . push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }} load: false + platforms: linux/amd64,linux/arm64 tags: | ${{ steps.meta_base.outputs.tags }} labels: ${{ steps.meta_base.outputs.labels }} From e545a1b00da91a1ba7083c276c518cbe88215f6a Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Mon, 19 Jan 2026 11:58:45 +0000 Subject: [PATCH 52/61] Add cooldown period for Maven updates in Dependabot Add 7 days cooldown period --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3cddd8c..ff70475 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,8 @@ version: 2 updates: - package-ecosystem: "maven" + cooldown: + default-days: 7 directory: "/" schedule: interval: "weekly" From 1f67a1901bb345724813a2fbee05e2e38bf0d694 Mon Sep 17 00:00:00 2001 From: Marc-Etienne Vargenau Date: Wed, 18 Feb 2026 11:08:28 +0100 Subject: [PATCH 53/61] Update READEME for release 2.0.4 Signed-off-by: Marc-Etienne Vargenau --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index e1258bf..b38af53 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ If you are a developer, there are examples in the [examples folder](examples/org The command line interface of the SPDX Tools can be used like this: - java -jar tools-java-2.0.2-jar-with-dependencies.jar + java -jar tools-java-2.0.4-jar-with-dependencies.jar ## SPDX format converters @@ -54,18 +54,18 @@ The following converter tools support SPDX format: Example to convert a SPDX file from Tag to RDF format: - java -jar tools-java-2.0.2-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.rdf + java -jar tools-java-2.0.4-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.rdf The file formats can optionally be provided as the 3rd and 4th parameter for the input and output formats respectively. An optional 5th option `excludeLicenseDetails` will not copy the listed license properties to the output file. The following example will copy a JSON format to an RDF Turtle format without including the listed license properties: - java -jar tools-java-2.0.2-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.ttl TAG RDFTTL excludeLicenseDetails + java -jar tools-java-2.0.4-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.ttl TAG RDFTTL excludeLicenseDetails To convert from SPDX 2 to SPDX 3.0.1: * use the file extension `.jsonld.json` or `.jsonld`; * or add the options for the from and to file types: - java -jar tools-java-2.0.2-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD + java -jar tools-java-2.0.4-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD ## Compare utilities @@ -75,13 +75,13 @@ The following tools can be used to compare one or more SPDX documents: Example to compare multiple SPDX files provided in RDF format and provide a spreadsheet with the results: - java -jar tools-java-2.0.2-jar-with-dependencies.jar CompareDocs output.xlsx doc1 doc2 ... docN + java -jar tools-java-2.0.4-jar-with-dependencies.jar CompareDocs output.xlsx doc1 doc2 ... docN * CompareMultipleSpdxDocs with directory Example to compare all SPDX documents in a directory "/home/me/spdxdocs" and provide a spreadsheet with the results: - java -jar tools-java-2.0.2-jar-with-dependencies.jar CompareDocs output.xlsx /home/me/spdxdocs + java -jar tools-java-2.0.4-jar-with-dependencies.jar CompareDocs output.xlsx /home/me/spdxdocs ## SPDX Viewer @@ -91,7 +91,7 @@ The following tool can be used to "Pretty Print" an SPDX document. Sample usage: - java -jar tools-java-2.0.2-jar-with-dependencies.jar SPDXViewer ../testResources/SPDXRdfExample-v2.2.spdx.rdf + java -jar tools-java-2.0.4-jar-with-dependencies.jar SPDXViewer ../testResources/SPDXRdfExample-v2.2.spdx.rdf ## Verifier @@ -101,7 +101,7 @@ The following tool can be used to verify an SPDX document: Sample usage: - java -jar tools-java-2.0.2-jar-with-dependencies.jar Verify ../testResources/SPDXRdfExample-v2.2.spdx.rdf + java -jar tools-java-2.0.4-jar-with-dependencies.jar Verify ../testResources/SPDXRdfExample-v2.2.spdx.rdf ## Generators @@ -111,7 +111,7 @@ The following tool can be used to generate an SPDX verification code from a dire Sample usage: - java -jar tools-java-2.0.2-jar-with-dependencies.jar GenerateVerificationCode sourceDirectory [ignoredFilesRegex] + java -jar tools-java-2.0.4-jar-with-dependencies.jar GenerateVerificationCode sourceDirectory [ignoredFilesRegex] ## SPDX Validation Tool From 144c5b4116da77672188836d7a10b7f0dec6b032 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Feb 2026 16:21:12 +0000 Subject: [PATCH 54/61] Bump org.apache.maven.plugins:maven-compiler-plugin Bumps [org.apache.maven.plugins:maven-compiler-plugin](https://github.com/apache/maven-compiler-plugin) from 3.14.1 to 3.15.0. - [Release notes](https://github.com/apache/maven-compiler-plugin/releases) - [Commits](https://github.com/apache/maven-compiler-plugin/compare/maven-compiler-plugin-3.14.1...maven-compiler-plugin-3.15.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-compiler-plugin dependency-version: 3.15.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 91625f9..45e2e92 100644 --- a/pom.xml +++ b/pom.xml @@ -242,7 +242,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.14.1 + 3.15.0 ${project.build.sourceEncoding} true From db3152e5a5c1a48dc23a78b2251e73acde67d0c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 16:01:03 +0000 Subject: [PATCH 55/61] Bump org.apache.maven.plugins:maven-release-plugin from 3.2.0 to 3.3.1 Bumps [org.apache.maven.plugins:maven-release-plugin](https://github.com/apache/maven-release) from 3.2.0 to 3.3.1. - [Release notes](https://github.com/apache/maven-release/releases) - [Commits](https://github.com/apache/maven-release/compare/maven-release-3.2.0...maven-release-3.3.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-release-plugin dependency-version: 3.3.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 45e2e92..521e7c2 100644 --- a/pom.xml +++ b/pom.xml @@ -354,7 +354,7 @@ org.apache.maven.plugins maven-release-plugin - 3.2.0 + 3.3.1 v@{project.version} release From 811f274b17b570a992e5027bc4e6911a52c7c891 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Thu, 12 Mar 2026 16:04:49 -0700 Subject: [PATCH 56/61] Update SPDX Java library versions Signed-off-by: Gary O'Neall --- pom.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pom.xml b/pom.xml index 521e7c2..2285584 100644 --- a/pom.xml +++ b/pom.xml @@ -118,32 +118,32 @@ org.spdx java-spdx-library - 2.0.2 + 2.0.3 org.spdx spdx-jackson-store - 2.0.4 + 2.0.5 org.spdx spdx-rdf-store - 2.0.2 + 2.0.3 org.spdx spdx-spreadsheet-store - 2.0.2 + 2.0.3 org.spdx spdx-tagvalue-store - 2.0.2 + 2.0.3 org.spdx spdx-v3jsonld-store - 1.0.2 + 1.0.3 com.networknt From 5adac70c8d826fa60ce8260e2eaeaac78355dfed Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Thu, 12 Mar 2026 16:13:48 -0700 Subject: [PATCH 57/61] [maven-release-plugin] prepare release v2.0.5 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 2285584..478a004 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.spdx tools-java - 2.0.5-SNAPSHOT + 2.0.5 jar tools-java @@ -32,7 +32,7 @@ https://github.com/spdx/tools-java scm:git:git@github.com:spdx/tools-java.git scm:git:git@github.com:spdx/tools-java.git - master + v2.0.5 Github From db1efba804a08a099699425033c81a36bd51f2fd Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Thu, 12 Mar 2026 16:13:53 -0700 Subject: [PATCH 58/61] [maven-release-plugin] prepare for next development iteration --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 478a004..24fc310 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ org.spdx tools-java - 2.0.5 + 2.0.6-SNAPSHOT jar tools-java @@ -32,7 +32,7 @@ https://github.com/spdx/tools-java scm:git:git@github.com:spdx/tools-java.git scm:git:git@github.com:spdx/tools-java.git - v2.0.5 + master Github From 2b3cd5d1e78767d4a126b58f4949138dcf49daab Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Fri, 13 Mar 2026 13:15:04 -0700 Subject: [PATCH 59/61] Update spdx-v3-jsonld-store to version 1.0.4 Signed-off-by: Gary O'Neall --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 24fc310..e49e0af 100644 --- a/pom.xml +++ b/pom.xml @@ -143,7 +143,7 @@ org.spdx spdx-v3jsonld-store - 1.0.3 + 1.0.4 com.networknt From b928e8e28fa5e836e1af7cb465877b27a6a87efe Mon Sep 17 00:00:00 2001 From: Marc-Etienne Vargenau Date: Wed, 25 Mar 2026 10:30:14 +0100 Subject: [PATCH 60/61] Update README for release 2.0.5 Signed-off-by: Marc-Etienne Vargenau --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index b38af53..97761ab 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ If you are a developer, there are examples in the [examples folder](examples/org The command line interface of the SPDX Tools can be used like this: - java -jar tools-java-2.0.4-jar-with-dependencies.jar + java -jar tools-java-2.0.5-jar-with-dependencies.jar ## SPDX format converters @@ -54,18 +54,18 @@ The following converter tools support SPDX format: Example to convert a SPDX file from Tag to RDF format: - java -jar tools-java-2.0.4-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.rdf + java -jar tools-java-2.0.5-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.rdf The file formats can optionally be provided as the 3rd and 4th parameter for the input and output formats respectively. An optional 5th option `excludeLicenseDetails` will not copy the listed license properties to the output file. The following example will copy a JSON format to an RDF Turtle format without including the listed license properties: - java -jar tools-java-2.0.4-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.ttl TAG RDFTTL excludeLicenseDetails + java -jar tools-java-2.0.5-jar-with-dependencies.jar Convert ../testResources/SPDXTagExample-v2.2.spdx TagToRDF.ttl TAG RDFTTL excludeLicenseDetails To convert from SPDX 2 to SPDX 3.0.1: * use the file extension `.jsonld.json` or `.jsonld`; * or add the options for the from and to file types: - java -jar tools-java-2.0.4-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD + java -jar tools-java-2.0.5-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD ## Compare utilities @@ -75,13 +75,13 @@ The following tools can be used to compare one or more SPDX documents: Example to compare multiple SPDX files provided in RDF format and provide a spreadsheet with the results: - java -jar tools-java-2.0.4-jar-with-dependencies.jar CompareDocs output.xlsx doc1 doc2 ... docN + java -jar tools-java-2.0.5-jar-with-dependencies.jar CompareDocs output.xlsx doc1 doc2 ... docN * CompareMultipleSpdxDocs with directory Example to compare all SPDX documents in a directory "/home/me/spdxdocs" and provide a spreadsheet with the results: - java -jar tools-java-2.0.4-jar-with-dependencies.jar CompareDocs output.xlsx /home/me/spdxdocs + java -jar tools-java-2.0.5-jar-with-dependencies.jar CompareDocs output.xlsx /home/me/spdxdocs ## SPDX Viewer @@ -91,7 +91,7 @@ The following tool can be used to "Pretty Print" an SPDX document. Sample usage: - java -jar tools-java-2.0.4-jar-with-dependencies.jar SPDXViewer ../testResources/SPDXRdfExample-v2.2.spdx.rdf + java -jar tools-java-2.0.5-jar-with-dependencies.jar SPDXViewer ../testResources/SPDXRdfExample-v2.2.spdx.rdf ## Verifier @@ -101,7 +101,7 @@ The following tool can be used to verify an SPDX document: Sample usage: - java -jar tools-java-2.0.4-jar-with-dependencies.jar Verify ../testResources/SPDXRdfExample-v2.2.spdx.rdf + java -jar tools-java-2.0.5-jar-with-dependencies.jar Verify ../testResources/SPDXRdfExample-v2.2.spdx.rdf ## Generators @@ -111,7 +111,7 @@ The following tool can be used to generate an SPDX verification code from a dire Sample usage: - java -jar tools-java-2.0.4-jar-with-dependencies.jar GenerateVerificationCode sourceDirectory [ignoredFilesRegex] + java -jar tools-java-2.0.5-jar-with-dependencies.jar GenerateVerificationCode sourceDirectory [ignoredFilesRegex] ## SPDX Validation Tool From 7b4f769314e959daa200e366cdc0a043bebf521b Mon Sep 17 00:00:00 2001 From: Marc-Etienne Vargenau Date: Wed, 15 Apr 2026 15:31:19 +0200 Subject: [PATCH 61/61] Allow .spdx3.json extension when converting from SPDX 2 to SPDX 3 Fixes https://github.com/spdx/tools-java/issues/278 Untested, please test before merging. Signed-off-by: Marc-Etienne Vargenau --- README.md | 2 +- src/main/java/org/spdx/tools/SpdxToolsHelper.java | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 97761ab..93713aa 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ The file formats can optionally be provided as the 3rd and 4th parameter for the To convert from SPDX 2 to SPDX 3.0.1: -* use the file extension `.jsonld.json` or `.jsonld`; +* use the file extension `.spdx3.json` or `.jsonld.json` or `.jsonld`; * or add the options for the from and to file types: java -jar tools-java-2.0.5-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD diff --git a/src/main/java/org/spdx/tools/SpdxToolsHelper.java b/src/main/java/org/spdx/tools/SpdxToolsHelper.java index dfa9402..59ab84e 100644 --- a/src/main/java/org/spdx/tools/SpdxToolsHelper.java +++ b/src/main/java/org/spdx/tools/SpdxToolsHelper.java @@ -70,6 +70,7 @@ public enum SerFileType { static Map EXT_TO_FILETYPE; static { HashMap temp = new HashMap<>(); + temp.put("spdx3.json", SerFileType.JSONLD); temp.put("jsonld.json", SerFileType.JSONLD); temp.put("jsonld", SerFileType.JSONLD); temp.put("json", SerFileType.JSON); @@ -159,10 +160,14 @@ public static SerFileType fileToFileType(File file) if (fileName.endsWith("rdf.ttl")) { ext = "rdf.ttl"; } - }if ("json".equals(ext)) { + } + if ("json".equals(ext)) { if (fileName.endsWith("jsonld.json")) { ext = "jsonld.json"; } + if (fileName.endsWith("spdx3.json")) { + ext = "spdx3.json"; + } } SerFileType retval = EXT_TO_FILETYPE.get(ext); if (SerFileType.JSON.equals(retval)) {