`spdx`¶

Generate an SPDX file.

This is following the specification from https://spdx.github.io/spdx-spec/v2.3/ a simple example can be found at ./tests/tests_e3/spdx_test.py

Module Contents¶

Classes¶

`SPDXPackageSupplier`	Used by the SPDX originator field.
`SPDXEntry`	Describe an SPDX Entry.
`SPDXEntryStr`	Describe an SPDX Entry accepting a string.
`SPDXEntryMaybeStr`	Describe an SPDX Entry accepting a string, NOASSERTION, or NONE.
`SPDXEntryMaybeStrMultilines`	SPDX entry that can contain multiline string values.
`SPDXEntryBool`	Describe an SPDX Entry accepting a boolean.
`SPDXSection`	Describe an SPDX section.
`SPDXVersion`	Provide the SPDX version used to generate the document.
`DataLicense`	License of the SPDX Metadata.
`SPDXID`	Identify an SPDX Document, or Package.
`DocumentName`	Identify name of this document.
`DocumentNamespace`	Provide a unique URI for this document.
`LicenseListVersion`	Provide the version of the SPDX License List used.
`Entity`	Represent an Entity (Organization, Person, Tool).
`EntityRef`	Reference an Entity.
`Creator`	Identify who (or what, in the case of a tool) created the SPDX document.
`Created`	Identify when the SPDX document was originally created.
`Organization`	Identify an organization by its name.
`Person`	Identify a person by its name.
`Tool`	Identify a tool.
`PackageName`	Identify the full name of the package.
`PackageVersion`	Identify the version of the package.
`PackageFileName`	Provide the actual file name of the package.
`PackageSupplier`	Identify the actual distribution source for the package.
`PackageOriginator`	Identify from where the package originally came.
`PackageDownloadLocation`	Identifies the download location of the package.
`FilesAnalyzed`	Indicates whether the file content of this package have been analyzed.
`PackageChecksum`	Provide a mechanism that permits unique identification of the package.
`PackageHomePage`	Identifies the homepage location of the package.
`SHA1`	SHA1 checksum for SPDX package verification.
`SHA256`	SHA256 checksum for SPDX package verification.
`SHA512`	SHA512 checksum for SPDX package verification.
`PackageLicenseConcluded`	Contain the license concluded as governing the package.
`PackageLicenseDeclared`	Contain the license having been declared by the authors of the package.
`PackageLicenseComments`	Record background information or analysis for the Concluded License.
`PackageCopyrightText`	Identify the copyright holders of the package.
`PackageDescription`	A more detailed description of the package.
`PackageComment`	Record background information or analysis for the Concluded License.
`ExternalRefCategory`	Identify the category of an ExternalRef.
`ExternalRef`	Reference an external source of information relevant to the package.
`PrimaryPackagePurpose`	Provides information about the primary purpose of the identified package.
`RelationshipType`	Describes the type of relationship between two SPDX elements.
`Relationship`	Provides information about the relationship between two SPDX elements.
`Package`	Describe a package.
`DocumentInformation`	Describe the SPDX Document.
`CreationInformation`	Document where and by whom the SPDX document has been created.
`Document`	Describe the SPDX Document.

Functions¶

get_entity(→ Organization | Person | Tool | None)

Get an entity according to an entity string.

Attributes¶

`NOASSERTION`	Indicates that the preparer of the SPDX document is not making any assertion
`NONE_VALUE`	When this value is used as the object of a property it indicates that the
`MAYBE_STR`
`SPDXID_R`
`InvalidSPDX`
`SECURITY`
`PACKAGE_MANAGER`
`PERSISTENT_ID`
`OTHER`
`SPDX_EXTERNAL_REF_TYPES`

spdx.NOASSERTION: Literal[NOASSERTION] = 'NOASSERTION'¶: Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field.

spdx.NONE_VALUE: Literal[NONE] = 'NONE'¶: When this value is used as the object of a property it indicates that the preparer of the SpdxDocument believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this assertion.

spdx.MAYBE_STR¶

spdx.SPDXID_R¶

spdx.get_entity(value: str | None) → Organization | Person | Tool | None¶

Get an entity according to an entity string.

The entity string looks like <entity_type>: <entity_name>. If the entity type is Organization, Person or Tool, the appropriate Organization, Person or Tool initialized with entity_name is returned.

If not possible match if found, None is returned.

Parameters:: value – A string to extract entity definition from.
Returns:: The entity initialized by value, or None on error.

exception spdx.InvalidSPDXError¶

Bases: Exception

Raise an exception when the SPDX document cannot be generated.

spdx.InvalidSPDX¶

class spdx.SPDXPackageSupplier(*args, **kwds)¶

Bases: enum.Enum

Used by the SPDX originator field.

This field is composed of a package supplier type (organization, person, tool) and a name.

This enum represents the package supplier type.

ORGANIZATION = 'Organization'¶

PERSON = 'Person'¶

TOOL = 'Tool'¶

class spdx.SPDXEntry¶

Describe an SPDX Entry.

property entry_key: str¶: Name of the SPDXEntry as visible in the SPDX tag:value report.

property json_entry_key: str¶: Name of the SPDXEntry as visible in the SPDX JSON report.

classmethod get_entry_key() → str¶: Name of the SPDXEntry as visible in the SPDX tag:value report.

classmethod get_json_entry_key() → str¶: Name of the SPDXEntry as visible in the SPDX JSON report.

abstract __str__() → str¶: Return string representation of SPDX entry.

__format__(format_spec: str) → str¶

Format the entry.

Parameters:: format_spec – format specification

to_tagvalue() → str¶: Return a valid tag:value line.

abstract to_json_dict() → dict[str, Any]¶: Return a chunk of the SPDX JSON document.

class spdx.SPDXEntryStr(value: str)¶

Bases: SPDXEntry

Describe an SPDX Entry accepting a string.

__str__() → str¶: Return string representation of SPDX entry.

__gt__(other: object) → bool¶

Compare entries.

Parameters:: other – other entry to compare with

to_json_dict() → dict[str, Any]¶: Convert to JSON-serializable dictionary format.

class spdx.SPDXEntryMaybeStr(value: MAYBE_STR)¶

Bases: SPDXEntry

Describe an SPDX Entry accepting a string, NOASSERTION, or NONE.

__str__() → str¶: Return string representation of SPDX entry.

to_json_dict() → dict[str, Any]¶: Convert to JSON-serializable dictionary format.

class spdx.SPDXEntryMaybeStrMultilines(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

SPDX entry that can contain multiline string values.

to_tagvalue() → str¶

Return the content that can span to multiple lines.

In tag:value format multiple lines are delimited by <text>…</text>.

class spdx.SPDXEntryBool(value: bool)¶

Bases: SPDXEntry

Describe an SPDX Entry accepting a boolean.

__str__() → str¶: Return string representation of boolean value.

to_json_dict() → dict[str, Any]¶: Convert to JSON-serializable dictionary format.

class spdx.SPDXSection¶

Describe an SPDX section.

to_tagvalue() → list[str]¶

Generate a chunk of an SPDX tag:value document.

Return a list of SPDX lines

to_json_dict() → dict[str, Any]¶: Convert to JSON-serializable dictionary format.

class spdx.SPDXVersion(value: str)¶

Bases: SPDXEntryStr

Provide the SPDX version used to generate the document.

See 6.1 SPDX version field.

VERSION: str = 'SPDX-2.3'¶

json_entry_key = 'spdxVersion'¶

classmethod from_json_dict(obj: dict[str, Any]) → SPDXVersion¶

Initialize an SPDXVersion from a dict.

If an SPDX version value could not be extracted from obj, the default value SPDXVersion.VERSION is used.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an SPDXVersion with.

For instance:

>>> from e3.spdx import SPDXVersion
>>> SPDXVersion.from_json_dict({"spdxVersion": "1.2.3"}).value
'1.2.3'
>>> SPDXVersion.from_json_dict({"xxx": "1.2.3"}).value
'SPDX-2.3'

Returns:: The SPDXVersion initialized with the value of obj.

class spdx.DataLicense(value: str)¶

Bases: SPDXEntryStr

License of the SPDX Metadata.

See 6.2 Data license field.

LICENSE: str = 'CC0-1.0'¶

classmethod from_json_dict(obj: dict[str, Any]) → DataLicense¶

Initialize a DataLicense from a dict.

If a data license value could not be extracted from obj, the default value DataLicense.LICENSE is used.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize a DataLicense with.

For instance:

>>> from e3.spdx import DataLicense
>>> DataLicense.from_json_dict({"dataLicense": "1.2.3"}).value
'1.2.3'
>>> DataLicense.from_json_dict({"xxx": "1.2.3"}).value
'CC0-1.0'

Returns:: The DataLicense initialized with the value of obj.

class spdx.SPDXID(value: str)¶

Bases: SPDXEntryStr

Identify an SPDX Document, or Package.

See 6.3 SPDX identifier field and 7.2 Package SPDX identifier field.

The value is a unique string containing letters, numbers, ., and/or -.

PREFIX: str = 'SPDXRef-'¶

DEFAULT_ID: str = 'DOCUMENT'¶

json_entry_key = 'SPDXID'¶

__str__() → str¶: Return string representation of SPDX ID.

__eq__(o: object) → bool¶

Check equality.

Parameters:: o – object to compare with

__hash__() → int¶: Return hash value of SPDX ID.

classmethod from_json_dict(obj: dict[str, Any]) → SPDXID¶

Initialize an SPDXID from a dict.

If an SPDX ID value could not be extracted from obj, the default value SPDXID.DEFAULT_ID is used.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an SPDXID with.

For instance:

>>> from e3.spdx import SPDXID
>>> SPDXID.from_json_dict({"SPDXID": "1.2.3"}).value
'1.2.3'
>>> SPDXID.from_json_dict({"xxx": "1.2.3"}).value
'DOCUMENT'

Returns:: The SPDXID initialized with the value of obj.

class spdx.DocumentName(value: str)¶

Bases: SPDXEntryStr

Identify name of this document.

See 6.4 Document name field.

json_entry_key = 'name'¶

class spdx.DocumentNamespace(value: str)¶

Bases: SPDXEntryStr

Provide a unique URI for this document.

See 6.5 SPDX document namespace field.

classmethod from_json_dict(obj: dict[str, Any]) → DocumentNamespace¶

Initialize a DocumentNamespace from a dict.

If a document namespace value could not be extracted from obj, an empty string is used.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize a DocumentNamespace with.

For instance:

>>> from e3.spdx import DocumentNamespace
>>> DocumentNamespace.from_json_dict({"documentNamespace": "namespace"}).value
'namespace'
>>> DocumentNamespace.from_json_dict({"xxx": "namespace"}).value
''

Returns:: The DocumentNamespace initialized with the value of obj.

class spdx.LicenseListVersion(value: str)¶

Bases: SPDXEntryStr

Provide the version of the SPDX License List used.

See 6.7 License list version field.

VERSION: str = '3.19'¶: Default license list version value.

classmethod from_json_dict(obj: dict[str, str]) → LicenseListVersion¶

Initialize a LicenseListVersion from a dict.

If a license list version value could not be extracted from obj, the default LicenseListVersion.VERSION value is used.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize a LicenseListVersion with.

For instance:

>>> from e3.spdx import LicenseListVersion
>>> LicenseListVersion.from_json_dict({"licenseListVersion": "3.2.1"}).value
'3.2.1'
>>> LicenseListVersion.from_json_dict({"xxx": "3.2.1"}).value
'3.19'

Returns:: The LicenseListVersion initialized with the value of obj.

class spdx.Entity(value: str)¶

Bases: SPDXEntryStr

Represent an Entity (Organization, Person, Tool).

classmethod from_json_dict(obj: dict[str, str]) → Tool | Person | Organization | None¶

Initialize an Entity from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an Entity with.
Returns:: The Entity initialized with the value of obj, or None if the JSON key does not match.

class spdx.EntityRef(value: Entity | Literal[NOASSERTION])¶

Bases: SPDXEntry

Reference an Entity.

Accept NOASSERTION as a valid value.

__str__() → str¶: Return string representation of entity reference.

to_tagvalue() → str¶: Convert to SPDX tag-value format string.

to_json_dict() → dict[str, Any]¶: Convert to JSON-serializable dictionary format.

class spdx.Creator(value: Entity | Literal[NOASSERTION])¶

Bases: EntityRef

Identify who (or what, in the case of a tool) created the SPDX document.

See 6.8 Creator field.

json_entry_key = 'creators'¶

classmethod from_json_dict(obj: dict[str, Any]) → Creator | None¶

Initialize a Creator from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize a Creator with.
Returns:: The Creator initialized with the value of obj, or None if the JSON key does not match.

class spdx.Created(value: str)¶

Bases: SPDXEntryStr

Identify when the SPDX document was originally created.

See 6.9 Created field.

classmethod from_json_dict(obj: dict[str, Any]) → Created¶

Initialize a Created from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an Created with.
Returns:: The Created initialized with the value of obj.

class spdx.Organization(value: str)¶

Bases: Entity

Identify an organization by its name.

class spdx.Person(value: str)¶

Bases: Entity

Identify a person by its name.

class spdx.Tool(value: str)¶

Bases: Entity

Identify a tool.

class spdx.PackageName(value: str)¶

Bases: SPDXEntryStr

Identify the full name of the package.

See 7.1 Package name field

json_entry_key = 'name'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageName¶

Initialize a PackageName from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageName with.
Returns:: The PackageName initialized with the value of obj.

class spdx.PackageVersion(value: str)¶

Bases: SPDXEntryStr

Identify the version of the package.

See 7.3 Package version field

json_entry_key = 'versionInfo'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageVersion¶

Initialize a PackageVersion from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageVersion with.
Returns:: The PackageVersion initialized with the value of obj.

class spdx.PackageFileName(value: str)¶

Bases: SPDXEntryStr

Provide the actual file name of the package.

See 7.4 Package file name field

classmethod from_json_dict(obj: dict[str, Any]) → PackageFileName¶

Initialize a PackageFileName from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageFileName with.
Returns:: The PackageFileName initialized with the value of obj.

class spdx.PackageSupplier(value: Entity | Literal[NOASSERTION])¶

Bases: EntityRef

Identify the actual distribution source for the package.

See 7.5 Package supplier field

json_entry_key = 'supplier'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageSupplier | None¶

Initialize a PackageSupplier from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize a PackageSupplier with.
Returns:: The PackageSupplier initialized with the value of obj, or None if the JSON key does not match.

class spdx.PackageOriginator(value: Entity | Literal[NOASSERTION])¶

Bases: EntityRef

Identify from where the package originally came.

See 7.6 Package originator field

json_entry_key = 'originator'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageOriginator | None¶

Initialize a PackageOriginator from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize a PackageOriginator with.
Returns:: The PackageOriginator initialized with the value of obj, or None if the JSON key does not match.

class spdx.PackageDownloadLocation(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Identifies the download location of the package.

See 7.7 Package download location field

json_entry_key = 'downloadLocation'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageDownloadLocation¶

Initialize a PackageDownloadLocation from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageDownloadLocation with.
Returns:: The PackageDownloadLocation initialized with the value of obj.

class spdx.FilesAnalyzed(value: bool)¶

Bases: SPDXEntryBool

Indicates whether the file content of this package have been analyzed.

See 7.8 Files analyzed field

classmethod from_json_dict(obj: dict[str, Any]) → FilesAnalyzed¶

Initialize a FilesAnalyzed from a dict.

By default, if obj does not contain this class’ JSON entry key, FilesAnalyzed(False) is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an FilesAnalyzed with.
Returns:: The FilesAnalyzed initialized with the value of obj.

class spdx.PackageChecksum(value: str)¶

Bases: SPDXEntryStr

Provide a mechanism that permits unique identification of the package.

See 7.10 Package checksum field

abstract property algorithm: str¶: Algorithm.

entry_key = 'PackageChecksum'¶

json_entry_key = 'checksums'¶

__str__() → str¶: Return string representation of package checksum.

to_json_dict() → dict[str, dict[str, str]]¶: Convert to JSON-serializable dictionary format.

classmethod from_json_dict(obj: dict[str, Any]) → PackageChecksum¶

Initialize a PackageChecksum from a dict.

Supported algorithms so far:

sha1
sha256
sha512

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageChecksum with.
Returns:: The PackageChecksum initialized with the value of obj.
Raise:: ValueError if the algorithm defined by obj is not supported.

class spdx.PackageHomePage(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Identifies the homepage location of the package.

See 7.11 Package home page field

json_entry_key = 'homepage'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageHomePage | None¶

Initialize a PackageHomePage from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageHomePage with.
Returns:: The PackageHomePage initialized with the value of obj.

class spdx.SHA1(value: str)¶

Bases: PackageChecksum

SHA1 checksum for SPDX package verification.

algorithm = 'SHA1'¶

class spdx.SHA256(value: str)¶

Bases: PackageChecksum

SHA256 checksum for SPDX package verification.

algorithm = 'SHA256'¶

class spdx.SHA512(value: str)¶

Bases: PackageChecksum

SHA512 checksum for SPDX package verification.

algorithm = 'SHA512'¶

class spdx.PackageLicenseConcluded(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Contain the license concluded as governing the package.

See 7.13 Concluded license field

json_entry_key = 'licenseConcluded'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageLicenseConcluded¶

Initialize a PackageLicenseConcluded from a dict.

By default, a PackageLicenseConcluded(NONE_VALUE) is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageLicenseConcluded with.
Returns:: The PackageLicenseConcluded initialized with the value of obj.

class spdx.PackageLicenseDeclared(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Contain the license having been declared by the authors of the package.

See 7.15 Declared license field

json_entry_key = 'licenseDeclared'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageLicenseDeclared | None¶

Initialize a PackageLicenseDeclared from a dict.

By default, None is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageLicenseDeclared with.
Returns:: The PackageLicenseDeclared initialized with the value of obj.

class spdx.PackageLicenseComments(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStrMultilines

Record background information or analysis for the Concluded License.

See 7.16 Comments on license field

json_entry_key = 'licenseComments'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageLicenseComments | None¶

Initialize a PackageLicenseComments from a dict.

By default, None is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageLicenseComments with.
Returns:: The PackageLicenseComments initialized with the value of obj.

class spdx.PackageCopyrightText(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStrMultilines

Identify the copyright holders of the package.

See 7.17 Copyright text field

json_entry_key = 'copyrightText'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageCopyrightText | None¶

Initialize a PackageCopyrightText from a dict.

By default, None is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageCopyrightText with.
Returns:: The PackageCopyrightText initialized with the value of obj.

class spdx.PackageDescription(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStrMultilines

A more detailed description of the package.

It may also be extracted from the packages itself.

Provides recipients of the SPDX document with a detailed technical explanation of the functionality, anticipated use, and anticipated implementation of the package. This field may also include a description of improvements over prior versions of the package.

See 7.19 Package detailed description field

json_entry_key = 'description'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageDescription | None¶

Initialize a PackageDescription from a dict.

By default, None is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageDescription with.
Returns:: The PackageDescription initialized with the value of obj.

class spdx.PackageComment(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStrMultilines

Record background information or analysis for the Concluded License.

See 7.20 Package comment field

json_entry_key = 'comment'¶

classmethod from_json_dict(obj: dict[str, Any]) → PackageComment | None¶

Initialize a PackageComment from a dict.

By default, None is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PackageComment with.
Returns:: The PackageComment initialized with the value of obj.

class spdx.ExternalRefCategory(*args, **kwds)¶

Bases: enum.Enum

Identify the category of an ExternalRef.

security = 'SECURITY'¶

package_manager = 'PACKAGE-MANAGER'¶

persistent_id = 'PERSISTENT-ID'¶

other = 'OTHER'¶

spdx.SECURITY¶

spdx.PACKAGE_MANAGER¶

spdx.PERSISTENT_ID¶

spdx.OTHER¶

spdx.SPDX_EXTERNAL_REF_TYPES = ((), (), (), (), (), (), (), (), (), (), (), (), ())¶

class spdx.ExternalRef(reference_category: ExternalRefCategory, reference_type: str, reference_locator: str)¶

Bases: SPDXEntry

Reference an external source of information relevant to the package.

See 7.21 External reference field

json_entry_key = 'externalRefs'¶

__str__() → str¶: Return string representation of external reference.

to_json_dict() → dict[str, dict[str, str]]¶: Return a chunk of the SPDX JSON document.

classmethod from_dict(external_ref_dict: dict[str, str]) → ExternalRef¶

Initialize an ExternalRef from a dict.

Parameters:: external_ref_dict – A dict containing the "referenceCategory", "referenceType" and "referenceLocator" keys. The values of those keys are used to initialize a new ExternalRef.
Returns:: The ExternalRef initialized with the value of external_ref_dict.

class spdx.PrimaryPackagePurpose(*args, **kwds)¶

Bases: enum.Enum

Provides information about the primary purpose of the identified package.

Package Purpose is intrinsic to how the package is being used rather than the content of the package. The options to populate this field are limited to the values below.

See 7.24 Primary Package Purpose field

APPLICATION¶

FRAMEWORK¶

LIBRARY¶

CONTAINER¶

OPERATING_SYSTEM¶

DEVICE¶

FIRMWARE¶

SOURCE¶

ARCHIVE¶

FILE¶

INSTALL¶

OTHER¶

classmethod get_json_entry_key() → str¶: Return JSON entry key for this object.

to_tagvalue() → str¶: Convert to SPDX tag-value format string.

to_json_dict() → dict[str, str]¶: Convert to JSON-serializable dictionary format.

classmethod from_json_dict(obj: dict[str, Any]) → PrimaryPackagePurpose | None¶

Initialize a PrimaryPackagePurpose from a dict.

By default, None is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an PrimaryPackagePurpose with.
Returns:: The PrimaryPackagePurpose initialized with the value of obj.

class spdx.RelationshipType(*args, **kwds)¶

Bases: enum.Enum

Describes the type of relationship between two SPDX elements.

DESCRIBES¶

DESCRIBED_BY¶

CONTAINS¶

CONTAINED_BY¶

DEPENDS_ON¶

DEPENDENCY_OF¶

DEPENDENCY_MANIFEST_OF¶

BUILD_DEPENDENCY_OF¶

DEV_DEPENDENCY_OF¶

OPTIONAL_DEPENDENCY_OF¶

PROVIDED_DEPENDENCY_OF¶

TEST_DEPENDENCY_OF¶

RUNTIME_DEPENDENCY_OF¶

EXAMPLE_OF¶

GENERATES¶

GENERATED_FROM¶

ANCESTOR_OF¶

DESCENDANT_OF¶

VARIANT_OF¶

DISTRIBUTION_ARTIFACT¶

PATCH_FOR¶

PATCH_APPLIED¶

COPY_OF¶

FILE_ADDED¶

FILE_DELETED¶

FILE_MODIFIED¶

EXPANDED_FROM_ARCHIVE¶

DYNAMIC_LINK¶

STATIC_LINK¶

DATA_FILE_OF¶

TEST_CASE_OF¶

BUILD_TOOL_OF¶

DEV_TOOL_OF¶

TEST_OF¶

TEST_TOOL_OF¶

DOCUMENTATION_OF¶

OPTIONAL_COMPONENT_OF¶

METAFILE_OF¶

PACKAGE_OF¶

AMENDS¶

PREREQUISITE_FOR¶

HAS_PREREQUISITE¶

REQUIREMENT_DESCRIPTION_FOR¶

SPECIFICATION_FOR¶

OTHER¶

classmethod get_json_entry_key() → str¶: Return JSON entry key for this object.

to_tagvalue() → str¶: Convert to SPDX tag-value format string.

to_json_dict() → dict[str, str]¶: Convert to JSON-serializable dictionary format.

classmethod from_json_dict(obj: dict[str, Any]) → RelationshipType¶

Initialize a RelationshipType from a dict.

By default, RelationshipType.OTHER is returned.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an RelationshipType with.
Returns:: The RelationshipType initialized with the value of obj.

class spdx.Relationship(spdx_element_id: SPDXID, relationship_type: RelationshipType, related_spdx_element: SPDXID)¶

Bases: SPDXEntry

Provides information about the relationship between two SPDX elements.

See 11.1 Relationship field.

__eq__(other: object) → bool¶

Check if this relationship may be equal to other.

Returns:: True if all field of this relationship are equal to other’s fields.

__hash__() → int¶

Get the hash value of this SPDX relationship.

Returns:: The hash value of this relationship.

__str__() → str¶: Return string representation of relationship.

to_json_dict() → dict[str, str]¶: Convert to JSON-serializable dictionary format.

classmethod from_json_dict(obj: dict[str, Any]) → Relationship¶

Initialize a Relationship from a dict.

Parameters:: obj – A dict which key is this class’ JSON entry key, and the value, an object to initialize an Relationship with.
Returns:: The Relationship initialized with the value of obj.

class spdx.Package¶

Bases: SPDXSection

Describe a package.

If the SPDX information describes a package, the following fields shall be included per package. See 7 Package information section

Variables:

name (PackageName) – A mandatory single line of text identifying the full name of the package as given by the Package Originator (PackageOriginator).
spdx_id (SPDXID) – Uniquely identify any element in an SPDX document which may be referenced by other elements. These may be referenced internally and externally with the addition of the SPDX document identifier. Generally made of f"{name}-{version}".
version (PackageVersion) – Identify the version of the package.
file_name (PackageFileName) – Provide the actual file name of the package, or path of the directory being treated as a package. This may include the packaging and compression methods used as part of the file name, if appropriate.
checksum (list[PackageChecksum]) – Provide an independently reproducible mechanism that permits unique identification of a specific package that correlates to the data in this SPDX document. This identifier enables a recipient to determine if any file in the original package has been changed. If the SPDX document is to be included in a package, this value should not be calculated. The SHA1 algorithm shall be used to provide the checksum by default. The only supported checksum algorithms (for now) are SHA1 and SHA256.
supplier (PackageSupplier) – Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a website. For example, SourceForge is a host website, not a supplier, the supplier for https://sourceforge.net/projects/bridge/ is The Linux Foundation.
originator (PackageOriginator) – If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see supplier above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package. For example, the SPDX document identifies the package as glibc and the Package Supplier as Red Hat, but the Free Software Foundation is the Package Originator.
copyright_text (PackageCopyrightText) – Identify the copyright holders of the package, as well as any dates present. This will be a free form text field extracted from package information files.
files_analyzed (FilesAnalyzed) – Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false, indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If False, the package shall not contain any files.
license_concluded (PackageLicenseConcluded) – Contain the license the SPDX document creator has concluded as governing the package or alternative values, if the governing license cannot be determined.
license_comments (PackageLicenseComments | None) – This field provides a place for the SPDX document creator to record any relevant background information or analysis that went in to arriving at the Concluded License for a package. If the Concluded License does not match the Declared License or License Information from Files, this should be explained by the SPDX document creator. It is also preferable to include an explanation here when the Concluded License is NOASSERTION.
license_declared (PackageLicenseDeclared) – List the licenses that have been declared by the authors of the package. Any license information that does not originate from the package authors, e.g. license information from a third-party repository, should not be included in this field.
primary_purpose (PrimaryPackagePurposeType | None) – Provides information about the primary purpose of the identified package. Package Purpose is intrinsic to how the package is being used rather than the content of the package.
homepage (PackageHomePage | None) – Provide a place for the SPDX document creator to record a website that serves as the package’s home page. This link can also be used to reference further information about the package referenced by the SPDX document creator.
download_location (PackageDownloadLocation) – This section identifies the download Uniform Resource Locator (URL), or a specific location within a version control system (VCS) for the package at the time that the SPDX document was created.
external_refs (list[ExternalRef] | None) –
An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package. For instance:
```
ExternalRef(
    reference_category=ExternalRefCategory.package_manager,
    reference_type="purl",
    reference_locator="pkg:generic/my-dep@1b2"
)
```
description (PackageDescription | None) – This field is a more detailed description of the package. It may also be extracted from the packages itself.
comment (PackageComment | None) – This field provides a place for the SPDX document creator to record any general comments about the package being described.

name: PackageName¶

spdx_id: SPDXID¶

version: PackageVersion¶

file_name: PackageFileName¶

checksum: list[PackageChecksum]¶

supplier: PackageSupplier¶

originator: PackageOriginator¶

copyright_text: PackageCopyrightText | None¶

files_analyzed: FilesAnalyzed¶

license_concluded: PackageLicenseConcluded¶

license_comments: PackageLicenseComments | None¶

license_declared: PackageLicenseDeclared | None¶

homepage: PackageHomePage | None¶

download_location: PackageDownloadLocation¶

external_refs: list[ExternalRef] | None¶

comment: PackageComment | None¶

primary_purpose: PrimaryPackagePurpose | None¶

description: PackageDescription | None¶

classmethod from_json_dict(package_dict: dict[str, Any]) → Package¶

Initialize a Package from a dict.

Parameters:: package_dict – A dict containing JSON elements to initialize this Package with.
Returns:: The Package initialized with the values of obj.

class spdx.DocumentInformation¶

Bases: SPDXSection

Describe the SPDX Document.

document_name: DocumentName¶

document_namespace: DocumentNamespace¶

version: SPDXVersion¶

data_license: DataLicense¶

spdx_id: SPDXID¶

__post_init__() → None¶: Initialize document namespace after dataclass initialization.

classmethod from_json_dict(obj: dict[str, Any]) → DocumentInformation¶

Initialize a DocumentInformation from a dict.

Parameters:: obj – A dict containing JSON elements to initialize this DocumentInformation with.
Returns:: The DocumentInformation initialized with the values of obj.

class spdx.CreationInformation¶

Bases: SPDXSection

Document where and by whom the SPDX document has been created.

creators: list[Creator]¶

created_now: Created¶

license_list_version: LicenseListVersion¶

__post_init__() → None¶: Initialize creation timestamp after dataclass initialization.

classmethod from_json_dict(obj: dict[str, Any]) → CreationInformation¶

Initialize a CreationInformation from a dict.

Parameters:: obj – A dict containing JSON elements to initialize this CreationInformation with.
Returns:: The CreationInformation initialized with the values of obj.

class spdx.Document(document_name: str, creators: list[Entity])¶

Describe the SPDX Document.

property spdx_id: SPDXID¶: Return the Document SPDXID.

add_package(package: Package, is_main_package: bool = False, add_relationship: bool = True) → SPDXID¶

Add a new Package and describe its relationship to other elements.

Parameters:

package – An already created Package to be added to this SPDX document
is_main_package – whether the package is the main package, in which case a relationship will automatically be added to record that the document DESCRIBES this package. If false, it is assumed that the package is contained by the main package unless a relationship is explicitly passed
add_relationship – whether to automatically add a relationship element - either (DOCUMENT DESCRIBES <main package>) if is_main_package is True or (<main package> CONTAINS <package>)

Returns:

the package SPDX_ID

add_relationship(relationship: Relationship) → None¶

Add a new relationship to the document.

Parameters:: relationship – the Relationship to add

to_tagvalue() → list[str]¶: Generate a list of tag:value lines describing the SPDX document.

to_json_dict() → dict[str, Any]¶

Generate a representation of an SPDX following the JSON schema.

Generate a dictionary that can be dumped into a JSON.

classmethod from_json_dict(doc_dict: dict[str, Any]) → Document¶

Create a Document out of a JSON dict.

This may be used when initializing a Document from an SPDX JSON file, or to duplicate a Document.

For instance:

>>> import json
>>> from pathlib import Path
>>> with Path("my.spdx.json").open(
...     encoding="utf-8", errors="replace"
... ) as spdx_handle:
>>>     spdx_dict = json.load(spdx_handle)
>>> spdx_doc: Document = Document.from_json_dict(spdx_dict)
>>> spdx_doc2: Document = Document.from_json_dict(spdx_doc.to_json_dict())

Parameters:: doc_dict – The dict containing JSON values to initialize this Document with.
Returns:: A new Document initialized with the JSON values of doc_dict.

spdx¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`spdx`¶