SPDX规范详解

本文是《SPDX-specification-2.2》的学习笔记及部分中文翻译。

SPDX -— Software Package Data Exchange的缩写，中文译为软件包数据交换。

1 Rationale（基本原理）

1.1 Charter（宪章，纲领）

用以建立一组数据交换标准，其使得公司和组织能够分享人类可读、机器可处理的软件包元数据，以促进软件供应链过程。

1.2 Definition（释义）

软件包数据交换规范（Software Packeage Data Exchange, SPDX®）是一个标准格式，用来获得与软件包有关的部件和元数据。SPDX文件能够与一组软件包集合、文件或片段集合相关联，并且包含在此规范中描述的有关SPDX格式的软件信息。

1.3 Why is a common format for data exchange needed?（为什么需要数据交换的公共格式？）

Compliance with the associated licenses
requires a set of analysis activities and due diligence that each Organization performs
independently, which may include a manual and/or automated scan of software and
identification of associated licenses followed by manual verification. Software development
teams across the globe use the same open source packages, but little infrastructure exists
to facilitate collaboration on the analysis or share the results of these analysis activities. As
a result, many groups are performing the same work leading to duplicated efforts and
redundant information. The SPDX working group seeks to create a data exchange format so
that information about software packages and related content may be collected and shared
in a common format with the goal of saving time and improving data accuracy.

公司和组织（泛称“组织”）广泛使用和重用开源和其它的软件包。准确地识别软件是许多供应链过程的关键。漏洞补救开始于获知软件的哪一版本在系统中使用。遵守相关的许可证需要一组分析活动和尽职调查

2 Document Creation Information（文档创建信息）

每个SPDX文件需要创建一个实例。其为处理工具的向前和向后兼容提供必要的信息。

Cardinality: Mandatory, one.

2.1 SPDX Version（SPDX版本）

2.1.3 Cardinality: Mandatory, one.

2.1.4 Data Format: SPDX-M.N where:
M is major version number
N is minor version number.

2.1.5 Tag: SPDXVersion:
Example:
SPDXVersion: SPDX-2.2

2.2 Data License（数据许可证）

2.2.3 Cardinality: Mandatory, one.

2.2.4 Data Format: CC0-1.0

2.2.5 Tag: DataLicense:
Example:
DataLicense: CC0-1.0

2.3 SPDX Identifier（SPDX标识符）

2.3.3 Cardinality: Mandatory, one.

2.3.4 Data Format: SPDXRef-DOCUMENT

2.3.5 Tag: SPDXID:
Example:
SPDXID: SPDXRef-DOCUMENT

2.4 Document Name（文档名称）

2.4.3 Cardinality: Mandatory, one.

2.4.4 Data Format: Single line of text.

2.4.5 Tag: DocumentName:
Example:
DocumentName: glibc-v2.3
DocumentName: ubuntu-14.04

2.5 SPDX Document Namespace（SPDX文档命名空间）

2.5.3 Cardinality: Mandatory, one.

2.5.4 Data Format: unique absolute Uniform Resource Identifier (URI) as specified in RFC-
3986, with the following exceptions:
The SPDX Document URI cannot contain a URI “part” (e.g. the # delimiter), since the # is
used to uniquely identify SPDX element identifiers. The URI must contain a scheme
(e.g. https:).
The URI must be unique for the SPDX document including the specific version of the SPDX
document. If the SPDX document is updated, thereby creating a new version, a new URI for
the updated document must be used. There can only be one URI for an SPDX document and only one SPDX document for a given URI.

2.5.5 Tag: DocumentNamespace:
Example:
DocumentNamespace: http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-
41D3-9A0C-0305E82...

2.6 External Document References（外部文档引用）

2.6.3 Cardinality: Optional, one or many.

2.7 License List Version（许可证列表版本）

2.7.3 Cardinality: Optional, one.

2.8 Creator（创建者）

2.8.3 Cardinality: Mandatory, one or many.

2.8.4 Data Format: Single line of text with the following keywords:
"Person: person name" and optional "(email)"
"Organization: organization" and optional "(email)"
"Tool: toolidentifier-version"

2.8.5 Tag: Creator:
Example:
Creator: Person: Jane Doe ()
Creator: Organization: ExampleCodeInspect ()
Creator: Tool: LicenseFind-1.0

2.9 Created（创建日期和时间）

2.9.3 Cardinality: Mandatory, one.

2.9.4 Data Format: YYYY-MM-DDThh:mm:ssZ
where:

• YYYY is year
• MM is month with leading zero
• DD is day with leading zero
• T is delimiter for time
• hh is hours with leading zero in 24 hour time
• mm is minutes with leading zero
• ss is seconds with leading zero
• Z is universal time indicator

2.9.5 Tag: Created:
Example:
Created: 2010-01-29T18:30:22Z

2.10 Creator Comment（创建者注释）

2.10.3 Cardinality: Optional, one.

2.11 Document Comment（文档注释）

2.11.3 Cardinality: Optional, one.

3 Package Information（包信息）

3.1 Package Name（包名）

3.1.3 Cardinality: Mandatory, one.

3.1.4 Data Format: Single line of text.（数据格式：单行文本）

3.1.5 Tag: PackageName:
Example:
PackageName: glibc
3.1.6 RDF: property spdx:name in class spdx:Package

3.2 Package SPDX Identifier（包SPDX标识符）

3.2.3 Cardinality: Mandatory, one.

3.2.4 Data Format: “SPDXRef-”[idstring]

3.2.5 Tag: SPDXID:
Example:
SPDXID: SPDXRef-1

3.3 Package Version（包版本）

3.3.3 Cardinality: Optional, one.

3.3.4 Data Format: Single line of text.

3.3.5 Tag: PackageVersion:
Example:
PackageVersion: 2.11.1

3.4 Package File Name（包文件名）

3.4.1 Purpose（目的）

此字段提供包的实际文件名，或者作为包对待的目录的路径。如果适当，这可能包含打包和压缩方法作为文件名的部分。

3.4.3 Cardinality: Optional, one.

3.4.4 Data Format: Single line of text.

3.4.5 Tag: PackageFileName:
Example:
PackageFileName: glibc-2.11.1.tar.gz
Example (sub-directory being treated as a package):
PackageFileName: ./myrootdir/mysubdir1

3.5 Package Supplier（包供应商）

3.5.3 Cardinality: Optional, one.

3.5.4 Data Format: Single line of text with the following keywords | NOASSERTION

• Person: person name and optional ()
• Organization: organization name and optional ()

3.5.5 Tag: PackageSupplier:
Example:

PackageSupplier: Person: Jane Doe (jane.doe@example.com)

3.6 Package Originator（包发起人）

3.6.3 Cardinality: Optional, one.

3.7 Package Download Location（包下载地址）

3.7.3 Cardinality: Mandatory, one.

3.7.4 Data Format: uniform resource locator | VCS location | NONE | NOASSERTION

3.7.5 Tag: PackageDownloadLocation:
Examples if ambiguous:
PackageDownloadLocation: NOASSERTION
PackageDownloadLocation: NONE
Example for a plain URL:
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
Example for Git:
SPDX supported schemes are: git, git+git, git+https, git+http, and git+ssh. git and
git+git are equivalent.
Here are the supported forms:
PackageDownloadLocation: git://git.myproject.org/MyProject
PackageDownloadLocation: git+https://git.myproject.org/MyProject.git
PackageDownloadLocation: git+http://git.myproject.org/MyProject
PackageDownloadLocation: git+ssh://git.myproject.org/MyProject.git

3.8 Files Analyzed（文件是否被分析）

3.8.3 Cardinality: Optional, one. If omitted, the default value of true is assumed.

3.8.4 Data Format: Boolean

3.8.5 Tag: FilesAnalyzed
Example:
FilesAnalyzed: false

3.9 Package Verification Code（包验证码）

3.9.3 Cardinality: Mandatory, one if FilesAnalyzed is true or omitted, zero (must be
omitted) if FilesAnalyzed is false.

3.9.6 Tag: PackageVerificationCode: (and optionally (excludes: FileName))
FileName is specified in section 4.1.
Example:
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes:
./package.spdx)

3.10 Package Checksum（包校验和）

3.10.3 Cardinality: Optional, one or many.

3.11 Package Home Page（包主页）

3.11.3 Cardinality: Optional, one.

3.12 Source Information（源信息）

3.12.3 Cardinality: Optional, one.

3.13 Concluded License（推断许可证）

3.13.3 Cardinality: Mandatory, one.

3.13.4 Data Format: | NONE | NOASSERTION
where:
is a valid SPDX License Expression as defined in Appendix IV.

3.13.5 Tag: PackageLicenseConcluded:
Example:
PackageLicenseConcluded: LGPL-2.0-only

Example:
PackageLicenseConcluded: (LGPL-2.0-only OR LicenseRef-3)

3.14 All Licenses Information from Files（来自文件的所有许可证）

3.14.3 Cardinality: Mandatory, one or many if FilesAnalyzed is true or omitted, zero
(must be omitted) if FilesAnalyzed is false.

3.14.4 Data Format: | [“DocumentRef-”[idstring]:]“LicenseRef-
”[idstring] | NONE | NOASSERTION

where:

• “DocumentRef-”[idstring] is an optional reference to an external SPDX document as described in section 2.6.
• [idstring] is a unique string containing letters, numbers, ., or -.

3.14.5 Tag: PackageLicenseInfoFromFiles:
Example:
PackageLicenseInfoFromFiles: GPL-2.0-only
PackageLicenseInfoFromFiles: LicenseRef-1
PackageLicenseInfoFromFiles: LicenseRef-2

3.15 Declared License（声明的许可证）

3.15.3 Cardinality: Mandatory, one.

3.15.4 Data Format: | NONE | NOASSERTION
where:

• is a valid SPDX License Expression as defined in

Appendix IV.

3.15.5 Tag: PackageLicenseDeclared:
Example:
PackageLicenseDeclared: LGPL-2.0-only
Example:
PackageLicenseDeclared: (LGPL-2.0-only AND LicenseRef-3)

3.16 Comments on License（关于许可证的注释）

3.16.3 Cardinality: Optional, one.

3.17 Copyright Text（版权文本）

3.17.3 Cardinality: Mandatory, one.

3.17.4 Data Format: free form text that can span multiple lines | NONE | NOASSERTION

3.17.5 Tag: PackageCopyrightText:
In tag:value format multiple lines are delimited by ....
Example:
PackageCopyrightText: Copyright 2008-2010 John Smith

3.18 Package Summary Description（包概要描述）

3.18.3 Cardinality: Optional, one.

3.19 Package Detailed Description（包详细描述）

3.19.3 Cardinality: Optional, one.

3.20 Package Comment（包注释）

3.20.3 Cardinality: Optional, one.

3.21 External Reference（外部引用）

3.21.3 Cardinality: Optional (one or many)

3.22 External Reference Comment（外部引用注释）

3.22.3 Cardinality: Conditional (Optional, one) for each External Reference.

3.23 Package Attribution Text（包属性文本）

3.23.3 Cardinality: Optional, one or many.

4 File Information（文件信息）

4.1 File Name（文件名）

4.1.3 Cardinality: Mandatory, one.

4.1.4 Data Format: A relative filename with the root of the package archive or directory.

4.1.5 Tag: FileName:
Example:
FileName: ./package/foo.c

4.2 File SPDX Identifier（文件SPDX标识符）

4.2.3 Cardinality: Mandatory, one.

4.2.4 Data Format: “SPDXRef-”[idstring]
where [idstring] is a unique string containing letters, numbers, . and/or -.

4.2.5 Tag: SPDXID:
Example:
SPDXID: SPDXRef-1

4.3 File Type（文件类型）

4.3.3 Cardinality: Optional, multiple.

4.3.4 Data Format: SOURCE | BINARY | ARCHIVE | APPLICATION | AUDIO | IMAGE | TEXT | VIDEO |
DOCUMENTATION | SPDX | OTHER

4.3.5 Tag: FileType:
Example:
FileType: BINARY
Example: (for a README.TXT)
FileType: TEXT
FileType: DOCUMENTATION
Example (foo.exe)
FileType: BINARY
FileType: APPLICATION

4.4 File Checksum（文件校验和）

4.4.3 Cardinality: Mandatory, one SHA1, others may be optionally provided.

4.4.5 Data Format: In tag:value there are three components, an algorithm identifier
(SHA1), a separator (“:”) and a checksum value. The RDF must also contain an algorithm
identifier and a checksum value. For example, when the algorithm identifier is SHA1, the
checksum value should be a 160 bit value represented as 40 lowercase hexadecimal digits.
For other algorithms, an appropriate number of hexadecimal digits is expected.

4.4.6 Tag: FileChecksum:
Example:
FileChecksum: SHA1: d6a770ba38583ed4bb4525bd96e50461655d2758
FileChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24

4.5 Concluded License（推断许可证）

4.5.3 Cardinality: Mandatory, one.

4.5.4 Data Format: | NONE | NOASSERTION

4.5.5 Tag: LicenseConcluded:

Example:
LicenseConcluded: LGPL-2.0-only
Example:
LicenseConcluded: (LGPL-2.0-only OR LicenseRef-2)

where:
is a valid SPDX License Expression
as defined in Appendix IV.
“DocumentRef-”[idstring]: is an optional reference to an external SPDX
document as described in section 2.6
[idstring] is a unique string containing letters, numbers, . and/or -

4.6.5 Tag: LicenseInfoInFile:
Example:
LicenseInfoInFile: GPL-2.0-only
LicenseInfoInFile: LicenseRef-2

4.6 License Information in File（文件中的许可证信息）

4.6.3 Cardinality: Mandatory, one or many.

4.6.4 Data Format: |
[“DocumentRef-”[idstring]“:”]“LicenseRef-”[idstring] |
| NONE | NOASSERTION

4.7 Comments on License（许可证注释）

4.7.3 Cardinality: Optional, one.

4.8 Copyright Text（版权文本）

4.8.3 Cardinality: Mandatory, one.

4.8.4 Data Format: Free form text that can span multiple lines | NONE | NOASSERTION

4.8.5 Tag: FileCopyrightText:

In tag:value format multiple lines are delimited by .. .
Example:
FileCopyrightText: Copyright 2008-2010 John Smith

4.9 Artifact of Project Name (deprecated)（项目名称的简称（弃用））

4.10 Artifact of Project Homepage (deprecated)（项目主页的简称（弃用））

4.11 Artifact of Project Uniform Resource Identifier (deprecated)（项目同意资源标识符的简称（弃用））

4.12 File Comment（文件注释）

4.12.3 Cardinality: Optional, one.

4.12.4 Data Format: Free form text that can span multiple lines

4.12.5 Tag: FileComment:
In tag:value format multiple lines are delimited by .. .
Example:
FileComment:
This file appears in other packages, such as Foo and Ufoo.

4.13 File Notice（文件注意事项）

4.13.3 Cardinality: Optional, one.

4.14 File Contributor（文件贡献者）

4.14.3 Cardinality: Optional, one or many.

4.14.4 Data Format: Free form text on a single line.

4.14.5 Tag: FileContributor:
In tag:value format single line per contributor.
Example:
FileContributor: Modified by Paul Mundt lethal@linux-sh.org
FileContributor: The Regents of the University of California
FileContributor: IBM Corporation

4.15 File Attribution Text（文件属性文本）

4.15.3 Cardinality: Optional, one or many.

4.16 File Dependencies (deprecated)（文件依赖（弃用））

5 Snippet Information

Snippets can optionally be used when a file is known to have some content that has been
included from another original source. They are useful for denoting when part of a file may
have been originally created under another license.

片段可以可选择地被使用，当已知一个文件部分内容被其它原始来源包含时。其用来指示何时文件的部分在其它许可证下被初始创建。

5.1 Snippet SPDX Identifier（片段SPDX标识符）

5.1.3 Cardinality: Mandatory, one.

5.2 Snippet from File SPDX Identifier（片段取自文件的SPDX标识符）

5.2.3 Cardinality: Mandatory, one.

5.3 Snippet Byte Range（片段字节范围）

5.3.3 Cardinality: Mandatory, one.

5.4 Snippet Line Range（片段行范围）

5.4.3 Cardinality: Optional, one.

5.5 Snippet Concluded License（片段推断许可证）

5.5.3 Cardinality: Mandatory, one.

5.6 License Information in Snippet（片段中的许可证信息）

5.6.3 Cardinality: Optional, one or many.

5.7 Snippet Comments on License（片段的许可证注释）

5.7.3 Cardinality: Optional, one.

5.8 Snippet Copyright Text（片段版权文本）

5.8.3 Cardinality: Mandatory, one.

5.9 Snippet Comment（片段注释）

5.9.3 Cardinality: Optional, one.

5.10 Snippet Name（片段名称）

5.10.3 Cardinality: Optional, one.

5.11 Snippet Attribution Text（片段属性文本）

5.11.3 Cardinality: Optional, one or many.

6 Other Licensing Information Detected（其它探测到的许可证信息）

6.1 License Identifier（许可证标识符）

6.1.3 Cardinality: Conditional (mandatory, one) if license is not on SPDX License List.

6.2 Extracted Text（提取出的文本）

6.2.3 Cardinality: Conditional (Mandatory, one) if there is a License Identifier assigned.

6.3 License Name（许可证名称）

6.3.3 Cardinality: Conditional (mandatory, one) if license is not on SPDX License List.

6.4 License Cross Reference（许可证交叉引用）

6.4.3 Cardinality: Conditional (optional, one or more) if license is not on SPDX License List.

6.5 License Comment（许可证注释）

6.5.3 Cardinality: Optional, one.

7 Relationships between SPDX Elements（SPDX元素之间的关系）

7.1 Relationship（关系）

7.1.1 Purpose

此字段提供关于两个SPDX元素之间关系的信息。例如，可以表示两个不同文件之间、包和文件之间、两个包之间以及两个SPDX文档之间的关系。

7.1.4 Data Format
["DocumentRef-"[idstring]":"]SPDXID ["DocumentRef-
"[idstring]":"]SPDXID | `NONE` | `NOASSERTION`
where “DocumentRef-”[idstring]“:” is an optional referen

7.1.5 Tag: Relationship
Examples:
Relationship: SPDXRef-grep CONTAINS SPDXRef-make
RelationshipComment: Package grep contains file make
Relationship: SPDXRef-DOCUMENT AMENDS DocumentRef-SPDXA:SPDXRef-DOCUMENT
RelationshipComment: This current document is an amendment of the SPDXA
document.
Relationship: SPDXRef-CarolCompression DEPENDS_ON NONE
RelationshipComment: The package CarolCompression can be considered as a root
with no dependencies.
Relationship: SPDXRef-BobBrowser CONTAINS NOASSERTION

8 Annotations（注释）

8.1 Annotator（注释者）

8.1.4 Data Format: Single line of text with the following keywords.（数据格式：带有以下关键字的单行文本）
"Person: person name" and optional "(email)"
"Organization: organization" and optional "(email)"
"Tool: tool identifier - version"

8.2 Annotation Date（注释日期）

8.2.4 Data Format: YYYY-MM-DDThh:mm:ssZ（数据格式：YYYY-MM-DDThh:mm:ssZ）

其中：

• YYYY代表年
• MM代表月（以0开始）
• DD代表日（以0开始）
• T代表时间分隔符
• hh代表小时（以0开始，24小时制）
• mm代表分钟（以0开始）
• ss代表秒（以0开始）
• Z代表通用时间指示器

8.3 Annotation Type（注释类型）

8.3.4 Data Format: REVIEW | OTHER

8.4 SPDX Identifier Reference（SPDX标识符引用）

8.4.4 Data Format: [DocumentRef-[idstring]:]SPDXID

其中：

["DocumentRef-"[idstring]":"] is an optional reference to an external SPDX document
as described in section 2.6 SPDXID is a unique string containing letters, numbers, . and/or -
as described in Sections 2.3, 3.2 and 4.2.

8.5 Annotation Comment

8.5.4 Data Format: Free form text that can span multiple lines.

9 Review Information (deprecated) （复审信息（弃用））

复审信息字段被包含以兼容SPDX1.2，自SPDX2.0以后已弃用。任何复审信息应使用段8中的注释，注释类型填REVIEW。