spdx
¶
Generate an SPDX file.
This is following the specification from https://spdx.github.io/spdx-spec/v2.3/ a simple example can be found at ./tests/tests_e3/spdx_test.py
Module Contents¶
Classes¶
Used by the SPDX originator field. |
|
Describe an SPDX Entry. |
|
Describe an SPDX Entry accepting a string. |
|
Describe an SPDX Entry accepting a string, NOASSERTION, or NONE. |
|
Describe an SPDX Entry accepting a string, NOASSERTION, or NONE. |
|
Describe an SPDX Entry accepting a boolean. |
|
Describe an SPDX section. |
|
Provide the SPDX version used to generate the document. |
|
License of the SPDX Metadata. |
|
Identify an SPDX Document, or Package. |
|
Identify name of this document. |
|
Provide a unique URI for this document. |
|
Provide the version of the SPDX License List used. |
|
Represent an Entity (Organization, Person, Tool). |
|
Reference an Entity. |
|
Identify who (or what, in the case of a tool) created the SPDX document. |
|
Identify when the SPDX document was originally created. |
|
Identify an organization by its name. |
|
Identify a person by its name. |
|
Identify a tool. |
|
Identify the full name of the package. |
|
Identify the version of the package. |
|
Provide the actual file name of the package. |
|
Identify the actual distribution source for the package. |
|
Identify from where the package originally came. |
|
Identifies the download location of the package. |
|
Indicates whether the file content of this package have been analyzed. |
|
Provide a mechanism that permits unique identification of the package. |
|
Identifies the homepage location of the package. |
|
Provide a mechanism that permits unique identification of the package. |
|
Provide a mechanism that permits unique identification of the package. |
|
Contain the license concluded as governing the package. |
|
Contain the license having been declared by the authors of the package. |
|
Record background information or analysis for the Concluded License. |
|
Identify the copyright holders of the package. |
|
Record background information or analysis for the Concluded License. |
|
Identify the category of an ExternalRef. |
|
Reference an external source of information relevant to the package. |
|
Describes the type of relationship between two SPDX elements. |
|
Provides information about the relationship between two SPDX elements. |
|
Describe a package. |
|
Describe the SPDX Document. |
|
Document where and by whom the SPDX document has been created. |
|
Describe the SPDX Document. |
Attributes¶
Indicates that the preparer of the SPDX document is not making any assertion |
|
When this value is used as the object of a property it indicates that the |
|
- spdx.NOASSERTION: Literal[NOASSERTION] = 'NOASSERTION'¶
Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field.
- spdx.NONE_VALUE: Literal[NONE] = 'NONE'¶
When this value is used as the object of a property it indicates that the preparer of the SpdxDocument believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this assertion.
- spdx.MAYBE_STR¶
- spdx.SPDXID_R¶
- exception spdx.InvalidSPDX¶
Bases:
Exception
Raise an exception when the SPDX document cannot be generated.
- class spdx.SPDXPackageSupplier(*args, **kwds)¶
Bases:
enum.Enum
Used by the SPDX originator field.
This field is composed of a package supplier type (organization, person, tool) and a name.
This enum represents the package supplier type.
- ORGANIZATION = 'Organization'¶
- PERSON = 'Person'¶
- TOOL = 'Tool'¶
- class spdx.SPDXEntry¶
Describe an SPDX Entry.
- property json_entry_key: str¶
Name of the SPDXEntry as visible in the SPDX JSON report.
- abstract __str__() str ¶
Return str(self).
- __format__(format_spec: str) str ¶
Default object formatter.
- abstract to_json_dict() dict[str, Any] ¶
Return a chunk of the SPDX JSON document.
- class spdx.SPDXEntryStr(value: str)¶
Bases:
SPDXEntry
Describe an SPDX Entry accepting a string.
- __str__() str ¶
Return str(self).
- __gt__(other: object) bool ¶
Return self>value.
- to_json_dict() dict[str, Any] ¶
Return a chunk of the SPDX JSON document.
- class spdx.SPDXEntryMaybeStr(value: MAYBE_STR)¶
Bases:
SPDXEntry
Describe an SPDX Entry accepting a string, NOASSERTION, or NONE.
- __str__() str ¶
Return str(self).
- to_json_dict() dict[str, Any] ¶
Return a chunk of the SPDX JSON document.
- class spdx.SPDXEntryMaybeStrMultilines(value: MAYBE_STR)¶
Bases:
SPDXEntryMaybeStr
Describe an SPDX Entry accepting a string, NOASSERTION, or NONE.
- class spdx.SPDXEntryBool(value: bool)¶
Bases:
SPDXEntry
Describe an SPDX Entry accepting a boolean.
- __str__() str ¶
Return str(self).
- to_json_dict() dict[str, Any] ¶
Return a chunk of the SPDX JSON document.
- class spdx.SPDXSection¶
Describe an SPDX section.
- to_tagvalue() list[str] ¶
Generate a chunk of an SPDX tag:value document.
Return a list of SPDX lines
- to_json_dict() dict[str, Any] ¶
- class spdx.SPDXVersion(value: str)¶
Bases:
SPDXEntryStr
Provide the SPDX version used to generate the document.
See 6.1 SPDX version field.
- json_entry_key = 'spdxVersion'¶
- class spdx.DataLicense(value: str)¶
Bases:
SPDXEntryStr
License of the SPDX Metadata.
See 6.2 Data license field.
- class spdx.SPDXID(value: str)¶
Bases:
SPDXEntryStr
Identify an SPDX Document, or Package.
See 6.3 SPDX identifier field and 7.2 Package SPDX identifier field.
The value is a unique string containing letters, numbers, ., and/or -.
- json_entry_key = 'SPDXID'¶
- __str__() str ¶
Return str(self).
- __eq__(o: object) bool ¶
Return self==value.
- __hash__() int ¶
Return hash(self).
- class spdx.DocumentName(value: str)¶
Bases:
SPDXEntryStr
Identify name of this document.
See 6.4 Document name field.
- json_entry_key = 'name'¶
- class spdx.DocumentNamespace(value: str)¶
Bases:
SPDXEntryStr
Provide a unique URI for this document.
See 6.5 SPDX document namespace field.
- class spdx.LicenseListVersion(value: str)¶
Bases:
SPDXEntryStr
Provide the version of the SPDX License List used.
See 6.7 License list version field.
- class spdx.Entity(value: str)¶
Bases:
SPDXEntryStr
Represent an Entity (Organization, Person, Tool).
- class spdx.EntityRef(value: Entity | Literal[NOASSERTION])¶
Bases:
SPDXEntry
Reference an Entity.
Accept NOASSERTION as a valid value.
- __str__() str ¶
Return str(self).
- to_json_dict() dict[str, Any] ¶
Return a chunk of the SPDX JSON document.
- class spdx.Creator(value: Entity | Literal[NOASSERTION])¶
Bases:
EntityRef
Identify who (or what, in the case of a tool) created the SPDX document.
See 6.8 Creator field.
- json_entry_key = 'creators'¶
- class spdx.Created(value: str)¶
Bases:
SPDXEntryStr
Identify when the SPDX document was originally created.
See 6.9 Created field.
- class spdx.PackageName(value: str)¶
Bases:
SPDXEntryStr
Identify the full name of the package.
See 7.1 Package name field
- json_entry_key = 'name'¶
- class spdx.PackageVersion(value: str)¶
Bases:
SPDXEntryStr
Identify the version of the package.
See 7.3 Package version field
- json_entry_key = 'versionInfo'¶
- class spdx.PackageFileName(value: str)¶
Bases:
SPDXEntryStr
Provide the actual file name of the package.
See 7.4 Package file name field
- class spdx.PackageSupplier(value: Entity | Literal[NOASSERTION])¶
Bases:
EntityRef
Identify the actual distribution source for the package.
See 7.5 Package supplier field
- json_entry_key = 'supplier'¶
- class spdx.PackageOriginator(value: Entity | Literal[NOASSERTION])¶
Bases:
EntityRef
Identify from where the package originally came.
See 7.6 Package originator field
- json_entry_key = 'originator'¶
- class spdx.PackageDownloadLocation(value: MAYBE_STR)¶
Bases:
SPDXEntryMaybeStr
Identifies the download location of the package.
See 7.7 Package download location field
- json_entry_key = 'downloadLocation'¶
- class spdx.FilesAnalyzed(value: bool)¶
Bases:
SPDXEntryBool
Indicates whether the file content of this package have been analyzed.
See 7.8 Files analyzed field
- class spdx.PackageChecksum(value: str)¶
Bases:
SPDXEntryStr
Provide a mechanism that permits unique identification of the package.
See 7.10 Package checksum field
- abstract property algorithm: str¶
- entry_key = 'PackageChecksum'¶
- json_entry_key = 'checksums'¶
- __str__() str ¶
Return str(self).
- to_json_dict() dict[str, dict[str, str]] ¶
Return a chunk of the SPDX JSON document.
- class spdx.PackageHomePage(value: MAYBE_STR)¶
Bases:
SPDXEntryMaybeStr
Identifies the homepage location of the package.
See 7.11 Package home page field
- json_entry_key = 'homepage'¶
- class spdx.SHA1(value: str)¶
Bases:
PackageChecksum
Provide a mechanism that permits unique identification of the package.
See 7.10 Package checksum field
- algorithm = 'SHA1'¶
- class spdx.SHA256(value: str)¶
Bases:
PackageChecksum
Provide a mechanism that permits unique identification of the package.
See 7.10 Package checksum field
- algorithm = 'SHA256'¶
- class spdx.PackageLicenseConcluded(value: MAYBE_STR)¶
Bases:
SPDXEntryMaybeStr
Contain the license concluded as governing the package.
See 7.13 Concluded license field
- json_entry_key = 'licenseConcluded'¶
- class spdx.PackageLicenseDeclared(value: MAYBE_STR)¶
Bases:
SPDXEntryMaybeStr
Contain the license having been declared by the authors of the package.
See 7.15 Declared license field
- json_entry_key = 'licenseDeclared'¶
- class spdx.PackageLicenseComments(value: MAYBE_STR)¶
Bases:
SPDXEntryMaybeStrMultilines
Record background information or analysis for the Concluded License.
See 7.16 Comments on license field
- json_entry_key = 'licenseComments'¶
- class spdx.PackageCopyrightText(value: MAYBE_STR)¶
Bases:
SPDXEntryMaybeStrMultilines
Identify the copyright holders of the package.
See 7.17 Copyright text field
- json_entry_key = 'copyrightText'¶
- class spdx.PackageComment(value: MAYBE_STR)¶
Bases:
SPDXEntryMaybeStrMultilines
Record background information or analysis for the Concluded License.
See 7.20 Package comment field
- json_entry_key = 'comment'¶
- class spdx.ExternalRefCategory(*args, **kwds)¶
Bases:
enum.Enum
Identify the category of an ExternalRef.
- security = 'SECURITY'¶
- package_manager = 'PACKAGE-MANAGER'¶
- persistent_id = 'PERSISTENT-ID'¶
- other = 'OTHER'¶
- spdx.SECURITY¶
- spdx.PACKAGE_MANAGER¶
- spdx.PERSISTENT_ID¶
- spdx.OTHER¶
- spdx.SPDX_EXTERNAL_REF_TYPES = ((), (), (), (), (), (), (), (), (), (), (), (), ())¶
- class spdx.ExternalRef(reference_category: ExternalRefCategory, reference_type: str, reference_locator: str)¶
Bases:
SPDXEntry
Reference an external source of information relevant to the package.
See 7.21 External reference field
- json_entry_key = 'externalRefs'¶
- __str__() str ¶
Return str(self).
- to_json_dict() dict[str, dict[str, str]] ¶
Return a chunk of the SPDX JSON document.
- classmethod from_dict(external_ref_dict: dict[str, str]) ExternalRef ¶
Generate an External Ref from a dict compatible with the JSON format.
- Parameters:
external_ref_dict – a dict with the referenceCategory, referenceType, and referenceLocator keys
- Returns:
a new ExternalRef instance
- class spdx.RelationshipType(*args, **kwds)¶
Bases:
enum.Enum
Describes the type of relationship between two SPDX elements.
- DESCRIBES¶
- DESCRIBED_BY¶
- CONTAINS¶
- CONTAINED_BY¶
- DEPENDS_ON¶
- DEPENDENCY_OF¶
- DEPENDENCY_MANIFEST_OF¶
- BUILD_DEPENDENCY_OF¶
- DEV_DEPENDENCY_OF¶
- OPTIONAL_DEPENDENCY_OF¶
- PROVIDED_DEPENDENCY_OF¶
- TEST_DEPENDENCY_OF¶
- RUNTIME_DEPENDENCY_OF¶
- EXAMPLE_OF¶
- GENERATES¶
- GENERATED_FROM¶
- ANCESTOR_OF¶
- DESCENDANT_OF¶
- VARIANT_OF¶
- DISTRIBUTION_ARTIFACT¶
- PATCH_FOR¶
- PATCH_APPLIED¶
- COPY_OF¶
- FILE_ADDED¶
- FILE_DELETED¶
- FILE_MODIFIED¶
- EXPANDED_FROM_ARCHIVE¶
- DYNAMIC_LINK¶
- STATIC_LINK¶
- DATA_FILE_OF¶
- TEST_CASE_OF¶
- BUILD_TOOL_OF¶
- DEV_TOOL_OF¶
- TEST_OF¶
- TEST_TOOL_OF¶
- DOCUMENTATION_OF¶
- OPTIONAL_COMPONENT_OF¶
- METAFILE_OF¶
- PACKAGE_OF¶
- AMENDS¶
- PREREQUISITE_FOR¶
- HAS_PREREQUISITE¶
- REQUIREMENT_DESCRIPTION_FOR¶
- SPECIFICATION_FOR¶
- OTHER¶
- class spdx.Relationship(spdx_element_id: SPDXID, relationship_type: RelationshipType, related_spdx_element: SPDXID)¶
Bases:
SPDXEntry
Provides information about the relationship between two SPDX elements.
See 11.1 Relationship field.
- __str__() str ¶
Return str(self).
- to_json_dict() dict[str, str] ¶
Return a chunk of the SPDX JSON document.
- class spdx.Package¶
Bases:
SPDXSection
Describe a package.
If the SPDX information describes a package, the following fields shall be included per package. See 7 Package information section
- Variables:
name (PackageName) – A mandatory single line of text identifying the full name of the package as given by the Package Originator (
PackageOriginator
).spdx_id (SPDXID) – Uniquely identify any element in an SPDX document which may be referenced by other elements. These may be referenced internally and externally with the addition of the SPDX document identifier. Generally made of
f"{name}-{version}"
.version (PackageVersion) – Identify the version of the package.
file_name (PackageFileName) – Provide the actual file name of the package, or path of the directory being treated as a package. This may include the packaging and compression methods used as part of the file name, if appropriate.
checksum (list[PackageChecksum]) – Provide an independently reproducible mechanism that permits unique identification of a specific package that correlates to the data in this SPDX document. This identifier enables a recipient to determine if any file in the original package has been changed. If the SPDX document is to be included in a package, this value should not be calculated. The SHA1 algorithm shall be used to provide the checksum by default. The only supported checksum algorithms (for now) are
SHA1
andSHA256
.supplier (PackageSupplier) – Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a website. For example, SourceForge is a host website, not a supplier, the supplier for https://sourceforge.net/projects/bridge/ is The Linux Foundation.
originator (PackageOriginator) – If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see supplier above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package. For example, the SPDX document identifies the package as
glibc
and the Package Supplier as Red Hat, but the Free Software Foundation is the Package Originator.copyright_text (PackageCopyrightText) – Identify the copyright holders of the package, as well as any dates present. This will be a free form text field extracted from package information files.
files_analyzed (FilesAnalyzed) – Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false, indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If
False
, the package shall not contain any files.license_concluded (PackageLicenseConcluded) – Contain the license the SPDX document creator has concluded as governing the package or alternative values, if the governing license cannot be determined.
license_comments (PackageLicenseComments | None) – This field provides a place for the SPDX document creator to record any relevant background information or analysis that went in to arriving at the Concluded License for a package. If the Concluded License does not match the Declared License or License Information from Files, this should be explained by the SPDX document creator. It is also preferable to include an explanation here when the Concluded License is
NOASSERTION
.license_declared (PackageLicenseDeclared) – List the licenses that have been declared by the authors of the package. Any license information that does not originate from the package authors, e.g. license information from a third-party repository, should not be included in this field.
homepage (PackageHomePage | None) – Provide a place for the SPDX document creator to record a website that serves as the package’s home page. This link can also be used to reference further information about the package referenced by the SPDX document creator.
download_location (PackageDownloadLocation) – This section identifies the download Uniform Resource Locator (URL), or a specific location within a version control system (VCS) for the package at the time that the SPDX document was created.
external_refs (list[ExternalRef] | None) –
An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package. For instance:
ExternalRef( reference_category=ExternalRefCategory.package_manager, reference_type="purl", reference_locator="pkg:generic/my-dep@1b2" )
comment (PackageComment | None) – This field provides a place for the SPDX document creator to record any general comments about the package being described.
- name: PackageName¶
- version: PackageVersion¶
- file_name: PackageFileName¶
- checksum: list[PackageChecksum]¶
- supplier: PackageSupplier¶
- originator: PackageOriginator¶
- copyright_text: PackageCopyrightText¶
- files_analyzed: FilesAnalyzed¶
- license_concluded: PackageLicenseConcluded¶
- license_comments: PackageLicenseComments | None¶
- license_declared: PackageLicenseDeclared | None¶
- homepage: PackageHomePage | None¶
- download_location: PackageDownloadLocation¶
- external_refs: list[ExternalRef] | None¶
- comment: PackageComment | None¶
- class spdx.DocumentInformation¶
Bases:
SPDXSection
Describe the SPDX Document.
- document_name: DocumentName¶
- document_namespace: DocumentNamespace¶
- version: SPDXVersion¶
- data_license: DataLicense¶
- __post_init__() None ¶
- class spdx.CreationInformation¶
Bases:
SPDXSection
Document where and by whom the SPDX document has been created.
- license_list_version: LicenseListVersion¶
- __post_init__() None ¶
- class spdx.Document(document_name: str, creators: list[Entity])¶
Describe the SPDX Document.
- add_package(package: Package, is_main_package: bool = False, add_relationship: bool = True) SPDXID ¶
Add a new Package and describe its relationship to other elements.
- Parameters:
package – An already created
Package
to be added to this SPDX documentis_main_package – whether the package is the main package, in which case a relationship will automatically be added to record that the document DESCRIBES this package. If false, it is assumed that the package is contained by the main package unless a relationship is explicitely passed
add_relationship – whether to automatically add a relationship element - either (DOCUMENT DESCRIBES <main package>) if is_main_package is True or (<main package> CONTAINS <package>)
- Returns:
the package SPDX_ID
- add_relationship(relationship: Relationship) None ¶
Add a new relationship to the document.
- Parameters:
relationship – the Relationship to add
- to_json_dict() dict[str, Any] ¶
Generate a representation of an SPDX following the JSON schema.
Generate a dictionary that can be dumped into a JSON.