`spdx`¶

Generate an SPDX file.

This is following the specification from https://spdx.github.io/spdx-spec/v2.3/ a simple example can be found at ./tests/tests_e3/spdx_test.py

Module Contents¶

Classes¶

`SPDXPackageSupplier`	Used by the SPDX originator field.
`SPDXEntry`	Describe an SPDX Entry.
`SPDXEntryStr`	Describe an SPDX Entry accepting a string.
`SPDXEntryMaybeStr`	Describe an SPDX Entry accepting a string, NOASSERTION, or NONE.
`SPDXEntryMaybeStrMultilines`	Describe an SPDX Entry accepting a string, NOASSERTION, or NONE.
`SPDXEntryBool`	Describe an SPDX Entry accepting a boolean.
`SPDXSection`	Describe an SPDX section.
`SPDXVersion`	Provide the SPDX version used to generate the document.
`DataLicense`	License of the SPDX Metadata.
`SPDXID`	Identify an SPDX Document, or Package.
`DocumentName`	Identify name of this document.
`DocumentNamespace`	Provide a unique URI for this document.
`LicenseListVersion`	Provide the version of the SPDX License List used.
`Entity`	Represent an Entity (Organization, Person, Tool).
`EntityRef`	Reference an Entity.
`Creator`	Identify who (or what, in the case of a tool) created the SPDX document.
`Created`	Identify when the SPDX document was originally created.
`Organization`	Identify an organization by its name.
`Person`	Identify a person by its name.
`Tool`	Identify a tool.
`PackageName`	Identify the full name of the package.
`PackageVersion`	Identify the version of the package.
`PackageFileName`	Provide the actual file name of the package.
`PackageSupplier`	Identify the actual distribution source for the package.
`PackageOriginator`	Identify from where the package originally came.
`PackageDownloadLocation`	Identifies the download location of the package.
`FilesAnalyzed`	Indicates whether the file content of this package have been analyzed.
`PackageChecksum`	Provide a mechanism that permits unique identification of the package.
`PackageHomePage`	Identifies the homepage location of the package.
`SHA1`	Provide a mechanism that permits unique identification of the package.
`SHA256`	Provide a mechanism that permits unique identification of the package.
`PackageLicenseConcluded`	Contain the license concluded as governing the package.
`PackageLicenseDeclared`	Contain the license having been declared by the authors of the package.
`PackageLicenseComments`	Record background information or analysis for the Concluded License.
`PackageCopyrightText`	Identify the copyright holders of the package.
`PackageComment`	Record background information or analysis for the Concluded License.
`ExternalRefCategory`	Identify the category of an ExternalRef.
`ExternalRef`	Reference an external source of information relevant to the package.
`RelationshipType`	Describes the type of relationship between two SPDX elements.
`Relationship`	Provides information about the relationship between two SPDX elements.
`Package`	Describe a package.
`DocumentInformation`	Describe the SPDX Document.
`CreationInformation`	Document where and by whom the SPDX document has been created.
`Document`	Describe the SPDX Document.

Attributes¶

`NOASSERTION`	Indicates that the preparer of the SPDX document is not making any assertion
`NONE_VALUE`	When this value is used as the object of a property it indicates that the
`MAYBE_STR`
`SPDXID_R`
`SECURITY`
`PACKAGE_MANAGER`
`PERSISTENT_ID`
`OTHER`
`SPDX_EXTERNAL_REF_TYPES`

spdx.NOASSERTION: Literal[NOASSERTION] = 'NOASSERTION'¶: Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field.

spdx.NONE_VALUE: Literal[NONE] = 'NONE'¶: When this value is used as the object of a property it indicates that the preparer of the SpdxDocument believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this assertion.

spdx.MAYBE_STR¶

spdx.SPDXID_R¶

exception spdx.InvalidSPDX¶

Bases: Exception

Raise an exception when the SPDX document cannot be generated.

class spdx.SPDXPackageSupplier(*args, **kwds)¶

Bases: enum.Enum

Used by the SPDX originator field.

This field is composed of a package supplier type (organization, person, tool) and a name.

This enum represents the package supplier type.

ORGANIZATION = 'Organization'¶

PERSON = 'Person'¶

TOOL = 'Tool'¶

class spdx.SPDXEntry¶

Describe an SPDX Entry.

property entry_key: str¶: Name of the SPDXEntry as visible in the SPDX tag:value report.

property json_entry_key: str¶: Name of the SPDXEntry as visible in the SPDX JSON report.

abstract __str__() → str¶: Return str(self).

__format__(format_spec: str) → str¶: Default object formatter.

to_tagvalue() → str¶: Return a valid tag:value line.

abstract to_json_dict() → dict[str, Any]¶: Return a chunk of the SPDX JSON document.

class spdx.SPDXEntryStr(value: str)¶

Bases: SPDXEntry

Describe an SPDX Entry accepting a string.

__str__() → str¶: Return str(self).

__gt__(other: object) → bool¶: Return self>value.

to_json_dict() → dict[str, Any]¶: Return a chunk of the SPDX JSON document.

class spdx.SPDXEntryMaybeStr(value: MAYBE_STR)¶

Bases: SPDXEntry

Describe an SPDX Entry accepting a string, NOASSERTION, or NONE.

__str__() → str¶: Return str(self).

to_json_dict() → dict[str, Any]¶: Return a chunk of the SPDX JSON document.

class spdx.SPDXEntryMaybeStrMultilines(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Describe an SPDX Entry accepting a string, NOASSERTION, or NONE.

to_tagvalue() → str¶

Return the content that can span to multiple lines.

In tag:value format multiple lines are delimited by <text>…</text>.

class spdx.SPDXEntryBool(value: bool)¶

Bases: SPDXEntry

Describe an SPDX Entry accepting a boolean.

__str__() → str¶: Return str(self).

to_json_dict() → dict[str, Any]¶: Return a chunk of the SPDX JSON document.

class spdx.SPDXSection¶

Describe an SPDX section.

to_tagvalue() → list[str]¶

Generate a chunk of an SPDX tag:value document.

Return a list of SPDX lines

to_json_dict() → dict[str, Any]¶

class spdx.SPDXVersion(value: str)¶

Bases: SPDXEntryStr

Provide the SPDX version used to generate the document.

See 6.1 SPDX version field.

json_entry_key = 'spdxVersion'¶

class spdx.DataLicense(value: str)¶

Bases: SPDXEntryStr

License of the SPDX Metadata.

See 6.2 Data license field.

class spdx.SPDXID(value: str)¶

Bases: SPDXEntryStr

Identify an SPDX Document, or Package.

See 6.3 SPDX identifier field and 7.2 Package SPDX identifier field.

The value is a unique string containing letters, numbers, ., and/or -.

json_entry_key = 'SPDXID'¶

__str__() → str¶: Return str(self).

__eq__(o: object) → bool¶: Return self==value.

__hash__() → int¶: Return hash(self).

class spdx.DocumentName(value: str)¶

Bases: SPDXEntryStr

Identify name of this document.

See 6.4 Document name field.

json_entry_key = 'name'¶

class spdx.DocumentNamespace(value: str)¶

Bases: SPDXEntryStr

Provide a unique URI for this document.

See 6.5 SPDX document namespace field.

class spdx.LicenseListVersion(value: str)¶

Bases: SPDXEntryStr

Provide the version of the SPDX License List used.

See 6.7 License list version field.

class spdx.Entity(value: str)¶

Bases: SPDXEntryStr

Represent an Entity (Organization, Person, Tool).

class spdx.EntityRef(value: Entity | Literal[NOASSERTION])¶

Bases: SPDXEntry

Reference an Entity.

Accept NOASSERTION as a valid value.

__str__() → str¶: Return str(self).

to_tagvalue() → str¶: Return a valid tag:value line.

to_json_dict() → dict[str, Any]¶: Return a chunk of the SPDX JSON document.

class spdx.Creator(value: Entity | Literal[NOASSERTION])¶

Bases: EntityRef

Identify who (or what, in the case of a tool) created the SPDX document.

See 6.8 Creator field.

json_entry_key = 'creators'¶

class spdx.Created(value: str)¶

Bases: SPDXEntryStr

Identify when the SPDX document was originally created.

See 6.9 Created field.

class spdx.Organization(value: str)¶

Bases: Entity

Identify an organization by its name.

class spdx.Person(value: str)¶

Bases: Entity

Identify a person by its name.

class spdx.Tool(value: str)¶

Bases: Entity

Identify a tool.

class spdx.PackageName(value: str)¶

Bases: SPDXEntryStr

Identify the full name of the package.

See 7.1 Package name field

json_entry_key = 'name'¶

class spdx.PackageVersion(value: str)¶

Bases: SPDXEntryStr

Identify the version of the package.

See 7.3 Package version field

json_entry_key = 'versionInfo'¶

class spdx.PackageFileName(value: str)¶

Bases: SPDXEntryStr

Provide the actual file name of the package.

See 7.4 Package file name field

class spdx.PackageSupplier(value: Entity | Literal[NOASSERTION])¶

Bases: EntityRef

Identify the actual distribution source for the package.

See 7.5 Package supplier field

json_entry_key = 'supplier'¶

class spdx.PackageOriginator(value: Entity | Literal[NOASSERTION])¶

Bases: EntityRef

Identify from where the package originally came.

See 7.6 Package originator field

json_entry_key = 'originator'¶

class spdx.PackageDownloadLocation(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Identifies the download location of the package.

See 7.7 Package download location field

json_entry_key = 'downloadLocation'¶

class spdx.FilesAnalyzed(value: bool)¶

Bases: SPDXEntryBool

Indicates whether the file content of this package have been analyzed.

See 7.8 Files analyzed field

class spdx.PackageChecksum(value: str)¶

Bases: SPDXEntryStr

Provide a mechanism that permits unique identification of the package.

See 7.10 Package checksum field

abstract property algorithm: str¶

entry_key = 'PackageChecksum'¶

json_entry_key = 'checksums'¶

__str__() → str¶: Return str(self).

to_json_dict() → dict[str, dict[str, str]]¶: Return a chunk of the SPDX JSON document.

class spdx.PackageHomePage(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Identifies the homepage location of the package.

See 7.11 Package home page field

json_entry_key = 'homepage'¶

class spdx.SHA1(value: str)¶

Bases: PackageChecksum

Provide a mechanism that permits unique identification of the package.

See 7.10 Package checksum field

algorithm = 'SHA1'¶

class spdx.SHA256(value: str)¶

Bases: PackageChecksum

Provide a mechanism that permits unique identification of the package.

See 7.10 Package checksum field

algorithm = 'SHA256'¶

class spdx.PackageLicenseConcluded(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Contain the license concluded as governing the package.

See 7.13 Concluded license field

json_entry_key = 'licenseConcluded'¶

class spdx.PackageLicenseDeclared(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStr

Contain the license having been declared by the authors of the package.

See 7.15 Declared license field

json_entry_key = 'licenseDeclared'¶

class spdx.PackageLicenseComments(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStrMultilines

Record background information or analysis for the Concluded License.

See 7.16 Comments on license field

json_entry_key = 'licenseComments'¶

class spdx.PackageCopyrightText(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStrMultilines

Identify the copyright holders of the package.

See 7.17 Copyright text field

json_entry_key = 'copyrightText'¶

class spdx.PackageComment(value: MAYBE_STR)¶

Bases: SPDXEntryMaybeStrMultilines

Record background information or analysis for the Concluded License.

See 7.20 Package comment field

json_entry_key = 'comment'¶

class spdx.ExternalRefCategory(*args, **kwds)¶

Bases: enum.Enum

Identify the category of an ExternalRef.

security = 'SECURITY'¶

package_manager = 'PACKAGE-MANAGER'¶

persistent_id = 'PERSISTENT-ID'¶

other = 'OTHER'¶

spdx.SECURITY¶

spdx.PACKAGE_MANAGER¶

spdx.PERSISTENT_ID¶

spdx.OTHER¶

spdx.SPDX_EXTERNAL_REF_TYPES = ((), (), (), (), (), (), (), (), (), (), (), (), ())¶

class spdx.ExternalRef(reference_category: ExternalRefCategory, reference_type: str, reference_locator: str)¶

Bases: SPDXEntry

Reference an external source of information relevant to the package.

See 7.21 External reference field

json_entry_key = 'externalRefs'¶

__str__() → str¶: Return str(self).

to_json_dict() → dict[str, dict[str, str]]¶: Return a chunk of the SPDX JSON document.

classmethod from_dict(external_ref_dict: dict[str, str]) → ExternalRef¶

Generate an External Ref from a dict compatible with the JSON format.

Parameters:: external_ref_dict – a dict with the referenceCategory, referenceType, and referenceLocator keys
Returns:: a new ExternalRef instance

class spdx.RelationshipType(*args, **kwds)¶

Bases: enum.Enum

Describes the type of relationship between two SPDX elements.

DESCRIBES¶

DESCRIBED_BY¶

CONTAINS¶

CONTAINED_BY¶

DEPENDS_ON¶

DEPENDENCY_OF¶

DEPENDENCY_MANIFEST_OF¶

BUILD_DEPENDENCY_OF¶

DEV_DEPENDENCY_OF¶

OPTIONAL_DEPENDENCY_OF¶

PROVIDED_DEPENDENCY_OF¶

TEST_DEPENDENCY_OF¶

RUNTIME_DEPENDENCY_OF¶

EXAMPLE_OF¶

GENERATES¶

GENERATED_FROM¶

ANCESTOR_OF¶

DESCENDANT_OF¶

VARIANT_OF¶

DISTRIBUTION_ARTIFACT¶

PATCH_FOR¶

PATCH_APPLIED¶

COPY_OF¶

FILE_ADDED¶

FILE_DELETED¶

FILE_MODIFIED¶

EXPANDED_FROM_ARCHIVE¶

DYNAMIC_LINK¶

STATIC_LINK¶

DATA_FILE_OF¶

TEST_CASE_OF¶

BUILD_TOOL_OF¶

DEV_TOOL_OF¶

TEST_OF¶

TEST_TOOL_OF¶

DOCUMENTATION_OF¶

OPTIONAL_COMPONENT_OF¶

METAFILE_OF¶

PACKAGE_OF¶

AMENDS¶

PREREQUISITE_FOR¶

HAS_PREREQUISITE¶

REQUIREMENT_DESCRIPTION_FOR¶

SPECIFICATION_FOR¶

OTHER¶

class spdx.Relationship(spdx_element_id: SPDXID, relationship_type: RelationshipType, related_spdx_element: SPDXID)¶

Bases: SPDXEntry

Provides information about the relationship between two SPDX elements.

See 11.1 Relationship field.

__str__() → str¶: Return str(self).

to_json_dict() → dict[str, str]¶: Return a chunk of the SPDX JSON document.

class spdx.Package¶

Bases: SPDXSection

Describe a package.

If the SPDX information describes a package, the following fields shall be included per package. See 7 Package information section

Variables:

name (PackageName) – A mandatory single line of text identifying the full name of the package as given by the Package Originator (PackageOriginator).
spdx_id (SPDXID) – Uniquely identify any element in an SPDX document which may be referenced by other elements. These may be referenced internally and externally with the addition of the SPDX document identifier. Generally made of f"{name}-{version}".
version (PackageVersion) – Identify the version of the package.
file_name (PackageFileName) – Provide the actual file name of the package, or path of the directory being treated as a package. This may include the packaging and compression methods used as part of the file name, if appropriate.
checksum (list[PackageChecksum]) – Provide an independently reproducible mechanism that permits unique identification of a specific package that correlates to the data in this SPDX document. This identifier enables a recipient to determine if any file in the original package has been changed. If the SPDX document is to be included in a package, this value should not be calculated. The SHA1 algorithm shall be used to provide the checksum by default. The only supported checksum algorithms (for now) are SHA1 and SHA256.
supplier (PackageSupplier) – Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a website. For example, SourceForge is a host website, not a supplier, the supplier for https://sourceforge.net/projects/bridge/ is The Linux Foundation.
originator (PackageOriginator) – If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see supplier above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package. For example, the SPDX document identifies the package as glibc and the Package Supplier as Red Hat, but the Free Software Foundation is the Package Originator.
copyright_text (PackageCopyrightText) – Identify the copyright holders of the package, as well as any dates present. This will be a free form text field extracted from package information files.
files_analyzed (FilesAnalyzed) – Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false, indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If False, the package shall not contain any files.
license_concluded (PackageLicenseConcluded) – Contain the license the SPDX document creator has concluded as governing the package or alternative values, if the governing license cannot be determined.
license_comments (PackageLicenseComments | None) – This field provides a place for the SPDX document creator to record any relevant background information or analysis that went in to arriving at the Concluded License for a package. If the Concluded License does not match the Declared License or License Information from Files, this should be explained by the SPDX document creator. It is also preferable to include an explanation here when the Concluded License is NOASSERTION.
license_declared (PackageLicenseDeclared) – List the licenses that have been declared by the authors of the package. Any license information that does not originate from the package authors, e.g. license information from a third-party repository, should not be included in this field.
homepage (PackageHomePage | None) – Provide a place for the SPDX document creator to record a website that serves as the package’s home page. This link can also be used to reference further information about the package referenced by the SPDX document creator.
download_location (PackageDownloadLocation) – This section identifies the download Uniform Resource Locator (URL), or a specific location within a version control system (VCS) for the package at the time that the SPDX document was created.
external_refs (list[ExternalRef] | None) –
An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package. For instance:
```
ExternalRef(
    reference_category=ExternalRefCategory.package_manager,
    reference_type="purl",
    reference_locator="pkg:generic/my-dep@1b2"
)
```
comment (PackageComment | None) – This field provides a place for the SPDX document creator to record any general comments about the package being described.

name: PackageName¶

spdx_id: SPDXID¶

version: PackageVersion¶

file_name: PackageFileName¶

checksum: list[PackageChecksum]¶

supplier: PackageSupplier¶

originator: PackageOriginator¶

copyright_text: PackageCopyrightText¶

files_analyzed: FilesAnalyzed¶

license_concluded: PackageLicenseConcluded¶

license_comments: PackageLicenseComments | None¶

license_declared: PackageLicenseDeclared | None¶

homepage: PackageHomePage | None¶

download_location: PackageDownloadLocation¶

external_refs: list[ExternalRef] | None¶

comment: PackageComment | None¶

class spdx.DocumentInformation¶

Bases: SPDXSection

Describe the SPDX Document.

document_name: DocumentName¶

document_namespace: DocumentNamespace¶

version: SPDXVersion¶

data_license: DataLicense¶

spdx_id: SPDXID¶

__post_init__() → None¶

class spdx.CreationInformation¶

Bases: SPDXSection

Document where and by whom the SPDX document has been created.

creators: list[Creator]¶

created_now: Created¶

license_list_version: LicenseListVersion¶

__post_init__() → None¶

class spdx.Document(document_name: str, creators: list[Entity])¶

Describe the SPDX Document.

property spdx_id: SPDXID¶: Return the Document SPDXID.

add_package(package: Package, is_main_package: bool = False, add_relationship: bool = True) → SPDXID¶

Add a new Package and describe its relationship to other elements.

Parameters:

package – An already created Package to be added to this SPDX document
is_main_package – whether the package is the main package, in which case a relationship will automatically be added to record that the document DESCRIBES this package. If false, it is assumed that the package is contained by the main package unless a relationship is explicitely passed
add_relationship – whether to automatically add a relationship element - either (DOCUMENT DESCRIBES <main package>) if is_main_package is True or (<main package> CONTAINS <package>)

Returns:

the package SPDX_ID

add_relationship(relationship: Relationship) → None¶

Add a new relationship to the document.

Parameters:: relationship – the Relationship to add

to_tagvalue() → list[str]¶: Generate a list of tag:value lines describing the SPDX document.

to_json_dict() → dict[str, Any]¶

Generate a representation of an SPDX following the JSON schema.

Generate a dictionary that can be dumped into a JSON.

spdx¶

Module Contents¶

Classes¶

Attributes¶

`spdx`¶