model

package

v0.52.0 Latest Latest Go to latest Published: Sep 29, 2022 License: Apache-2.0 Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/zj1244/syft

Documentation ¶

Constants ¶

View Source

const Version = "SPDX-2.2"

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Annotation ¶

type Annotation struct {
	// Identify when the comment was made. This is to be specified according to the combined date and time in the
	// UTC format, as specified in the ISO 8601 standard.
	AnnotationDate time.Time `json:"annotationDate"`
	// Type of the annotation
	AnnotationType AnnotationType `json:"annotationType"`
	// This field identifies the person, organization or tool that has commented on a file, package, or the entire document.
	Annotator string `json:"annotator"`
	Comment   string `json:"comment"`
}

type AnnotationType ¶

type AnnotationType string

const (
	ReviewerAnnotationType AnnotationType = "REVIEWER"
	OtherAnnotationType    AnnotationType = "OTHER"
)

type Checksum ¶

type Checksum struct {
	// Identifies the algorithm used to produce the subject Checksum. One of: "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224"
	Algorithm     string `json:"algorithm"`
	ChecksumValue string `json:"checksumValue"`
}

type CreationInfo ¶

type CreationInfo struct {
	Comment string `json:"comment,omitempty"`
	// Identify when the SPDX file was originally created. The date is to be specified according to combined date and
	// time in UTC format as specified in ISO 8601 standard. This field is distinct from the fields in section 8,
	// which involves the addition of information during a subsequent review.
	Created time.Time `json:"created"`
	// Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an
	// individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization,
	// indicate the entity name. If the SPDX file was created using a software tool, indicate the name and version
	// for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person
	// name or organization name may be designated as “anonymous” if appropriate.
	Creators []string `json:"creators"`
	// An optional field for creators of the SPDX file to provide the version of the SPDX License List used when the SPDX file was created.
	LicenseListVersion string `json:"licenseListVersion"`
}

type Document ¶

type Document struct {
	Element
	SPDXVersion string `json:"spdxVersion"`
	// One instance is required for each SPDX file produced. It provides the necessary information for forward
	// and backward compatibility for processing tools.
	CreationInfo CreationInfo `json:"creationInfo"`
	// 2.2: Data License; should be "CC0-1.0"
	// Cardinality: mandatory, one
	// License expression for dataLicense.  Compliance with the SPDX specification includes populating the SPDX
	// fields therein with data related to such fields (\"SPDX-Metadata\"). The SPDX specification contains numerous
	// fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without
	// opining on the lawfulness of \"database rights\" (in jurisdictions where applicable), such explanatory text
	// is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any
	// portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any
	// SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative
	// Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree
	// and acknowledge that the SPDX-Metadata is provided to you \"as-is\" and without any representations or
	// warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including
	// without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement,
	// or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not
	// discoverable, all to the greatest extent permissible under applicable law.
	DataLicense string `json:"dataLicense"`
	// Information about an external SPDX document reference including the checksum. This allows for verification of the external references.
	ExternalDocumentRefs []ExternalDocumentRef `json:"externalDocumentRefs,omitempty"`
	// Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.
	HasExtractedLicensingInfos []HasExtractedLicensingInfo `json:"hasExtractedLicensingInfos,omitempty"`
	// note: found in example documents from SPDX, but not in the JSON schema. See https://spdx.github.io/spdx-spec/2-document-creation-information/#25-spdx-document-namespace
	DocumentNamespace string `json:"documentNamespace"`
	// note: found in example documents from SPDX, but not in the JSON schema
	// DocumentDescribes []string  `json:"documentDescribes"`
	Packages []Package `json:"packages"`
	// Files referenced in the SPDX document
	Files []File `json:"files,omitempty"`
	// Snippets referenced in the SPDX document
	Snippets []Snippet `json:"snippets,omitempty"`
	// Relationships referenced in the SPDX document
	Relationships []Relationship `json:"relationships,omitempty"`
}

type Element ¶

type Element struct {
	SPDXID string `json:"SPDXID"`
	// Identify name of this SpdxElement.
	Name string `json:"name,omitempty"`
	// Relationships referenced in the SPDX document
	Relationships []Relationship `json:"relationships,omitempty"`
	// Provide additional information about an SpdxElement.
	Annotations []Annotation `json:"annotations,omitempty"`
	Comment     string       `json:"comment,omitempty"`
}

type ElementID ¶

type ElementID string

ElementID represents the identifier string portion of an SPDX element identifier. DocElementID should be used for any attributes which can contain identifiers defined in a different SPDX document. ElementIDs should NOT contain the mandatory 'SPDXRef-' portion.

func (ElementID) String ¶

func (e ElementID) String() string

type EndPointer ¶

type EndPointer struct {
	Offset     int `json:"offset,omitempty"`
	LineNumber int `json:"lineNumber,omitempty"`
	// SPDX ID for File
	Reference string `json:"reference"`
}

type ExternalDocumentRef ¶

type ExternalDocumentRef struct {
	// externalDocumentId is a string containing letters, numbers, ., - and/or + which uniquely identifies an external document within this document.
	ExternalDocumentID string   `json:"externalDocumentId"`
	Checksum           Checksum `json:"checksum"`
	// SPDX ID for SpdxDocument.  A propoerty containing an SPDX document.
	SpdxDocument string `json:"spdxDocument"`
}

type File ¶

type File struct {
	Item
	// (At least one is required.) The checksum property provides a mechanism that can be used to verify that the
	// contents of a File or Package have not changed.
	Checksums []Checksum `json:"checksums,omitempty"`
	// This field provides a place for the SPDX file creator to record file contributors. Contributors could include
	// names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.
	FileContributors []string `json:"fileContributors,omitempty"`
	// Each element is a SPDX ID for a File.
	FileDependencies []string `json:"fileDependencies,omitempty"`
	// The name of the file relative to the root of the package.
	FileName string `json:"fileName"`
	// The type of the file
	FileTypes []string `json:"fileTypes,omitempty"`
	// This field provides a place for the SPDX file creator to record potential legal notices found in the file.
	// This may or may not include copyright statements.
	NoticeText string `json:"noticeText,omitempty"`
	// Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name
	// properties and the URI (if one is known) of doap:Project resources that are values of this property. All other
	// properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or
	// from some SPDX formats (deprecated).
	ArtifactOf []string `json:"artifactOf,omitempty"`
}

type HasExtractedLicensingInfo ¶

type HasExtractedLicensingInfo struct {
	// Verbatim license or licensing notice text that was discovered.
	ExtractedText string `json:"extractedText"`
	// A human readable short form license identifier for a license. The license ID is iether on the standard license
	// oist or the form \"LicenseRef-\"[idString] where [idString] is a unique string containing letters,
	// numbers, \".\", \"-\" or \"+\".
	LicenseID string `json:"licenseId"`
	Comment   string `json:"comment,omitempty"`
	// Identify name of this SpdxElement.
	Name     string   `json:"name,omitempty"`
	SeeAlsos []string `json:"seeAlsos,omitempty"`
}

type Item ¶

type Item struct {
	Element
	// The licenseComments property allows the preparer of the SPDX document to describe why the licensing in
	// spdx:licenseConcluded was chosen.
	LicenseComments  string `json:"licenseComments,omitempty"`
	LicenseConcluded string `json:"licenseConcluded"`
	// The licensing information that was discovered directly within the package. There will be an instance of this
	// property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.
	LicenseInfoFromFiles []string `json:"licenseInfoFromFiles,omitempty"`
	// Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.
	LicenseInfoInFiles []string `json:"licenseInfoInFiles,omitempty"`
	// The text of copyright declarations recited in the Package or File.
	CopyrightText string `json:"copyrightText,omitempty"`
	// This field provides a place for the SPDX data creator to record acknowledgements that may be required to be
	// communicated in some contexts. This is not meant to include the actual complete license text (see
	// licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText).
	// The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from
	// license texts, which may be necessary or desirable to reproduce.
	AttributionTexts []string `json:"attributionTexts,omitempty"`
}

type Package ¶

type Package struct {
	Item
	// The checksum property provides a mechanism that can be used to verify that the contents of a File or
	// Package have not changed.
	Checksums []Checksum `json:"checksums,omitempty"`
	// Provides a detailed description of the package.
	Description string `json:"description,omitempty"`
	// The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are
	// acceptable as values of this property. The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion
	// may be used to specify that the package is not downloadable or that no attempt was made to determine its
	// download location, respectively.
	DownloadLocation string `json:"downloadLocation,omitempty"`
	// An External Reference allows a Package to reference an external source of additional information, metadata,
	// enumerations, asset identifiers, or downloadable content believed to be relevant to the Package.
	ExternalRefs []spdxhelpers.ExternalRef `json:"externalRefs,omitempty"`
	// Indicates whether the file content of this package has been available for or subjected to analysis when
	// creating the SPDX document. If false indicates packages that represent metadata or URI references to a
	// project, product, artifact, distribution or a component. If set to false, the package must not contain any files
	FilesAnalyzed bool `json:"filesAnalyzed"`
	// Indicates that a particular file belongs to a package (elements are SPDX ID for a File).
	HasFiles []string `json:"hasFiles,omitempty"`
	// Provide a place for the SPDX file creator to record a web site that serves as the package's home page.
	// This link can also be used to reference further information about the package referenced by the SPDX file creator.
	Homepage string `json:"homepage,omitempty"`
	// List the licenses that have been declared by the authors of the package. Any license information that does not
	// originate from the package authors, e.g. license information from a third party repository, should not be included in this field.
	LicenseDeclared string `json:"licenseDeclared"`
	// The name and, optionally, contact information of the person or organization that originally created the package.
	// Values of this property must conform to the agent and tool syntax.
	Originator string `json:"originator,omitempty"`
	// The base name of the package file name. For example, zlib-1.2.5.tar.gz.
	PackageFileName string `json:"packageFileName,omitempty"`
	// A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the
	// SPDX Item. This allows consumers of this data and/or database to determine if an SPDX item they have in hand
	// is identical to the SPDX item from which the data was produced. This algorithm works even if the SPDX document
	// is included in the SPDX item.
	PackageVerificationCode *PackageVerificationCode `json:"packageVerificationCode,omitempty"`
	// Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.
	SourceInfo string `json:"sourceInfo,omitempty"`
	// Provides a short description of the package.
	Summary string `json:"summary,omitempty"`
	// The name and, optionally, contact information of the person or organization who was the immediate supplier
	// of this package to the recipient. The supplier may be different than originator when the software has been
	// repackaged. Values of this property must conform to the agent and tool syntax.
	Supplier string `json:"supplier,omitempty"`
	// Provides an indication of the version of the package that is described by this SpdxDocument.
	VersionInfo string `json:"versionInfo,omitempty"`
}

type PackageVerificationCode ¶

type PackageVerificationCode struct {
	// "A file that was excluded when calculating the package verification code. This is usually a file containing
	// SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded
	// from the package verification code. If this is not done it would be impossible to correctly calculate the
	// verification codes in both files.
	PackageVerificationCodeExcludedFiles []string `json:"packageVerificationCodeExcludedFiles"`

	// The actual package verification code as a hex encoded value.
	PackageVerificationCodeValue string `json:"packageVerificationCodeValue"`
}

Why are there two package identifier fields Package Checksum and Package Verification? Although the values of the two fields Package Checksum and Package Verification are similar, they each serve a different purpose. The Package Checksum provides a unique identifier of a software package which is computed by taking the SHA1 of the entire software package file. This enables one to quickly determine if two different copies of a package are the same. One disadvantage of this approach is that one cannot add an SPDX data file into the original package without changing the Package Checksum value. Alternatively, the Package Verification field enables the inclusion of an SPDX file. It enables one to quickly verify if one or more of the original package files has changed. The Package Verification field is a unique identifier that is based on SHAing only the original package files (e.g., excluding the SPDX file). This allows one to add an SPDX file to the original package without changing this unique identifier. source: https://wiki.spdx.org/view/SPDX_FAQ

type Range ¶

type Range struct {
	StartPointer StartPointer `json:"startPointer"`
	EndPointer   EndPointer   `json:"endPointer"`
}

type Relationship ¶

type Relationship struct {
	// Id to which the SPDX element is related
	SpdxElementID string `json:"spdxElementId"`
	// Describes the type of relationship between two SPDX elements.
	RelationshipType spdxhelpers.RelationshipType `json:"relationshipType"`
	// SPDX ID for SpdxElement.  A related SpdxElement.
	RelatedSpdxElement string `json:"relatedSpdxElement"`
	Comment            string `json:"comment,omitempty"`
}

type Snippet ¶

type Snippet struct {
	Item
	// Licensing information that was discovered directly in the subject snippet. This is also considered a declared
	// license for the snippet. (elements are license expressions)
	LicenseInfoInSnippets []string `json:"licenseInfoInSnippets"`
	// SPDX ID for File. File containing the SPDX element (e.g. the file contaning a snippet).
	SnippetFromFile string `json:"snippetFromFile"`
	// (At least 1 range is required). This field defines the byte range in the original host file (in X.2) that the
	// snippet information applies to.
	Ranges []Range `json:"ranges"`
}

type StartPointer ¶

type StartPointer struct {
	Offset     int `json:"offset,omitempty"`
	LineNumber int `json:"lineNumber,omitempty"`
	// SPDX ID for File
	Reference string `json:"reference"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL