Built by Maven

spdx:createSPDX

Full name:

org.spdx:spdx-maven-plugin:0.7.4-SNAPSHOT:createSPDX

Description:

NOTE: Currently this is a prototype plugin for supporting SPDX in a Maven build.

Goal which creates a new SPDX file for the package being built. Will replace any existing SPDX file.

All SPDX document and SPDX package properties are supported as parameters to the plugin.

File level data supports default parameters which are applied to all files. Future versions of this plugin will support file specific parameters.

The treatment of licenses for Maven is somewhat involved. Where possible, SPDX standard licenses ID's should be used. If no SPDX standard license is available, a nonStandardLicense must be declared as a parameter including a unique license ID and the verbatim license text.

The following SPDX fields are populated from the POM project information:

  • package name: project name or artifactId if the project name is not provided
  • package description: project description
  • package shortDescription: project description
  • package downloadUrl: distributionManager url
  • package homePage: project url
  • package supplier: project organization
  • package versionInfo: project version
  • files for analysis: build source files + project resource files

Additional SPDX fields are supplied as configuration parameters to this plugin.

Attributes:

  • Requires a Maven project to be executed.
  • The goal is thread-safe and supports parallel builds.
  • Binds by default to the lifecycle phase: verify.
  • Requires that Maven runs in online mode.

Optional Parameters

Name Type Since Description
<checksumAlgorithms> String[] - File checksums provides a unique identifier to match analysis information on each specific file in a package. The SHA1 algorithm is always calculated. Configure which algorithms should be to calculate the file checksum. Other algorithms that can be provided optionally include SHA224, SHA256, SHA384, SHA512, MD2, MD4, MD5, MD6.
<componentName> String - (no description)
Default value is: ${project.basedir}.
<copyrightText> String - Identify the copyright holders of the package, as well as any dates present. This will be a free form text field extracted from the package information files. The options to populate this field are limited to: (a) any text related to a copyright notice, even if not complete; (b) NONE if the package contains no license information whatsoever; or (c) NOASSERTION, if the SPDX file creator has not examined the contents of the package or if the SPDX file creator has intentionally provided no iInformation(no meaning should be implied by doing so).
Default value is: NOASSERTION.
<createExternalRefs> boolean 0.6.3 If true, external document references will be created for any dependencies which contain SPDX documents. If false, the dependent package information will be copied from the SPDX document into the generated SPDX document.
Default value is: true.
<creatorComment> String - An optional field for creators of the SPDX file to provide general comments about the creation of the SPDX file or any other relevant comment not included in the other fields.
<creators> String[] - Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization, indicate the entity name. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate. Format: single line of text with the following keywords: ”Person: person name” and optional “(email)” "Organization: organization” and optional “(email)” "Tool: toolidentifier-version”

NOTE: the Tool: spdx-maven-plugin will automatically be added by the plugin
<defaultFileComment> String - optional default SPDX file comment field. The file comment field provides a place for the SPDX file creator to record any general comments about the file.
<defaultFileConcludedLicense> String - This field contains the license the SPDX file creator has concluded as governing the file or alternative values if the governing license cannot be determined. If no concluded license is specified "NOASSERTION" will be used.
Default value is: NOASSERTION.
<defaultFileContributors> String[] - optional list of default file contributors. This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders, yet contributed to the file content.
<defaultFileCopyright> String - Default file copyright text. If no copyright text is specified, NOASSERTION will be used The copyrightText field Identifies the copyright holder of the file, as well as any dates present. The text must much the copyright notice found in the file. The options to populate this field are limited to: (a) any text relating to a copyright notice, even if not complete; (b) NONE, if the file contains no license information whatsoever; or (c) NOASSERTION, if the SPDX creator has not examined the contents of the actual file or if the SPDX creator has intentionally provided no information(no meaning should be implied from the absence of an assertion).
Default value is: NOASSERTION.
<defaultFileLicenseComment> String - Optional default file license comment. The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.
<defaultFileNotice> String - Optional default file notice text. This field provides a place for the SPDX file creator to record potential legal notices found in the file. This may or may not include copyright statements.
<defaultLicenseInformationInFile> String - Default license information in file. If no licenseInformationInFile is specified, NOASSERTION will be used This field contains the license information actually found in the file, if any. Any license information not actually in the file, e.g., “COPYING.txt” file in a toplevel directory, should not be reflected in this field. This information is most commonly found in the header of the file, although it may be in other areas of the actual file. The options to populate this field are limited to: (a) the SPDX License List short form identifier, if the license is on the SPDX License List; (b) a reference to the license, denoted by LicenseRef-#LicenseRef-[idString], if the license is not on the SPDX License List; (c) NONE, if the actual file contains no license information whatsoever; or (d) NOASSERTION, if the SPDX file creator has not examined the contents of the actual file or the SPDX file creator has intentionally provided no information (no meaning should be implied by doing so). For a license set, when there is a choice between licenses (“disjunctive license”), they should be separated with “or” and enclosed in brackets. Similarly when multiple licenses need to be applied (“conjunctive license”), they should be separated with “and” and enclosed in parentheses.
<documentAnnotations> Annotation[] 0.5.1 Optional annotations for the SPDX document 
<configuration>
  <documentAnnotations>
    <documentAnnotation>
      <annotationComment>   </annotationComment>
      <annotationType>   </annotationType>
      <annotationDate>2023-06-29T18:30:22Z</annotationDate>
      <annotator>Person: ...</annotator>
    </documentAnnotation>
    <!-- ... more ... -->
  </documentAnnotations>
</configuration>

<documentComment> String - An optional field for creators of the SPDX file content to provide comments to the consumers of the SPDX document.
<externalReferences> ExternalReference[] - 
<configuration>
  <externalReferences>
    <externalReference>
      <category>   </category>
      <type>   </type>
      <locator>   </locator>
      <comment>   </comment>
    </externalReference>
    <!-- ... more ... -->
  </externalReferences>
</configuration>

<generatePurls> boolean - If true, adds an external reference to every package with category "PACKAGE-MANAGER", type "purl" and locator "pkg:maven/${project.groupId}/${project.artifactId}@${project.version}".
User property is: spdx.generatePurls.
<includeTransitiveDependencies> boolean 0.6.3 If true, all transitive dependencies will be included in the SPDX document. If false, only direct dependencies will be included.
Default value is: true.
<licenseComments> String - This field provides a place for the SPDX file creator to record any general comments about the license.
<licenseConcluded> String - This field contains the license the SPDX file creator has concluded as governing the package or alternative values, if the governing license cannot be determined. If this field is not specified, the declared license value will be used for the concluded license. The format of the string follows the standard license string format for SPDX files (see the defaultFileConcludedLicense parameter for a full description).
<licenseDeclared> String - License declared by the originator for the package. If no license is specified, the license information in the project POM file will be mapped to a standard SPDX license if available. If a non-standard license is used, a NOASSERTION value will be used. The format of the string follows the standard license string format for SPDX files (see the defaultFileConcludedLicense parameter for a full description).
<matchLicensesOnCrossReferenceUrls> boolean - Optional parameter if set to true will match a Maven license to an SPDX standard license if the Maven license URL matches any of the cross-reference license URLs for a standard license. Default value is true. Note: Several SPDX standard licenses contain the same cross-reference license URL. In this case, the SPDX standard license used in indeterminate.
Default value is: true.
<nonStandardLicenses> NonStandardLicense[] - Licenses which are not SPDX listed licenses referenced within the Maven SPDX plugin configuration. All non-standard licenses must be configured containing the required license ID and license text. 
<configuration>
  <nonStandardLicenses>
    <nonStandardLicense>
      <licenseId>LicenseRef-[idString]</licenseId> <!-- Required -->
      <extractedText>   </extractedText> <!-- Required -->
      <name>   </name>
      <comment>   </comment>
      <crossReference>
        <crossReference>https://...</crossReference>
      </crossReference>
    </nonStandardLicense>
    <!-- ... more ... -->
  </nonStandardLicenses>
</configuration>

<onlyUseLocalLicenses> boolean - Configure whether only locally cached license list should be used. (a) If set to true, only locally cached version of license list is used. (b) otherwise, the license list is queried over the internet.
<originator> String - The name and, optionally, contact information of the person or organization that originally created the package. Note that the supplier field of SPDX is filled in by the Organization in the POM. However, the originator may be different than the supplier (e.g. a Maven POM was build by organization X containing code originating from organization Y).

The default for this is the Maven organization
<outputFormat> String 0.6.0 Output file format for the SPDX file. One of: - JSON - JSON SPDX format - RDF/XML - RDF/XML format
Default value is: JSON.
<packageAnnotations> Annotation[] 0.5.1 Optional annotations for the package 
<configuration>
  <packageAnnotations>
    <packageAnnotation>
      <annotationComment>   </annotationComment>
      <annotationType>   </annotationType>
      <annotationDate>2023-06-29T18:30:22Z</annotationDate>
      <annotator>Person: ...</annotator>
    </packageAnnotation>
    <!-- ... more ... -->
  </packageAnnotations>
</configuration>

<pathsWithSpecificSpdxInfo> PathSpecificSpdxInfo[] - File or directories which have SPDX information different from the project defaults. The fileOrDirectory field of the PathSpecificSpdxInfo is required. All files within the directory (or just the specific file) will use the SPDX data specified in the PathSpecificSpdxInfo parameters. All of the SPDX data parameters are optional. If any SPDX field is not specified, the project level default data will be used.

If a file or directory is nested within another pathsWithSpecificSpdxInfo, the lowest level values will be used. Note: in this case the non-specified SPDX fields for the lowest level PathSpecificSpdxInfo will use the default project level fields NOT the higher level PathSpecificSpdxInfo.

<configuration>
  <pathsWithSpecificSpdxInfo>
    <pathsWithSpecificSpdxInfo>
      <directoryOrFile>src/main/java/CommonCode.java</directoryOrFile>
      <fileComment>Comment for CommonCode</fileComment>
      <fileContributors>
        <fileContributor>Contributor to CommonCode</fileContributor>
        <!-- ... more ... -->
      </fileContributors>
      <fileCopyright>Common Code Copyright</fileCopyright>
      <fileLicenseComment>License Comment for Common Code</fileLicenseComment>
      <fileNotice>Notice for Commmon Code</fileNotice>
      <fileConcludedLicense>EPL-1.0</fileConcludedLicense>
      <licenseInformationInFile>ISC</licenseInformationInFile>
      <snippets>
        <snippet>
          <name>SnippetName</name>
          <comment>Snippet Comment</comment>
          <concludedLicense>BSD-2-Clause</concludedLicense>
          <lineRange>44:55</lineRange>
          <byteRange>1231:3442</byteRange>
          <licenseComment>Snippet License Comment</licenseComment>
          <copyrightText>Snippet Copyright Text</copyrightText>
          <licenseInfoInSnippet>BSD-2-Clause-FreeBSD</licenseInfoInSnippet>
        <!-- ... more ... -->
        </snippet>
      </snippets>
    </pathsWithSpecificSpdxInfo>
    <!-- ... more ... -->
  </pathsWithSpecificSpdxInfo>
</configuration>

<skip> boolean 0.7.1 Skip goal execution.
User property is: spdx.skip.
<sourceInfo> String - This field provides a place for the SPDX file creator to record any relevant background information or additional comments about the origin of the package. For example, this field might include comments indicating whether the package been was pulled from a source code management system or has been repackaged.
<spdxDocumentNamespace> String - Document namespace - must be unique for the artifact and SPDX file
Default value is: http://spdx.org/spdxpackages/${project.groupId}_${project.artifactId}-${project.version}.
<spdxFile> File - SPDX File name
Default value is: ${project.reporting.outputDirectory}/${project.groupId}_${project.artifactId}-${project.version}.spdx.
User property is: spdxFileName.
<useArtifactID> boolean - If true, use ${project.groupId}:${artifactId} as the SPDX package name. Otherwise, ${project.name} will be used
User property is: spdx.useArtifactID.

Parameter Details

<checksumAlgorithms>

File checksums provides a unique identifier to match analysis information on each specific file in a package. The SHA1 algorithm is always calculated. Configure which algorithms should be to calculate the file checksum. Other algorithms that can be provided optionally include SHA224, SHA256, SHA384, SHA512, MD2, MD4, MD5, MD6.
  • Type: java.lang.String[]
  • Required: No

<componentName>

(no description)
  • Type: java.lang.String
  • Required: No
  • Default: ${project.basedir}

<copyrightText>

Identify the copyright holders of the package, as well as any dates present. This will be a free form text field extracted from the package information files. The options to populate this field are limited to: (a) any text related to a copyright notice, even if not complete; (b) NONE if the package contains no license information whatsoever; or (c) NOASSERTION, if the SPDX file creator has not examined the contents of the package or if the SPDX file creator has intentionally provided no iInformation(no meaning should be implied by doing so).
  • Type: java.lang.String
  • Required: No
  • Default: NOASSERTION

<createExternalRefs>

If true, external document references will be created for any dependencies which contain SPDX documents. If false, the dependent package information will be copied from the SPDX document into the generated SPDX document.
  • Type: boolean
  • Since: 0.6.3
  • Required: No
  • Default: true

<creatorComment>

An optional field for creators of the SPDX file to provide general comments about the creation of the SPDX file or any other relevant comment not included in the other fields.
  • Type: java.lang.String
  • Required: No

<creators>

Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization, indicate the entity name. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate. Format: single line of text with the following keywords: ”Person: person name” and optional “(email)” "Organization: organization” and optional “(email)” "Tool: toolidentifier-version”

NOTE: the Tool: spdx-maven-plugin will automatically be added by the plugin

  • Type: java.lang.String[]
  • Required: No

<defaultFileComment>

optional default SPDX file comment field. The file comment field provides a place for the SPDX file creator to record any general comments about the file.
  • Type: java.lang.String
  • Required: No

<defaultFileConcludedLicense>

This field contains the license the SPDX file creator has concluded as governing the file or alternative values if the governing license cannot be determined. If no concluded license is specified "NOASSERTION" will be used.
  • Type: java.lang.String
  • Required: No
  • Default: NOASSERTION

<defaultFileContributors>

optional list of default file contributors. This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders, yet contributed to the file content.
  • Type: java.lang.String[]
  • Required: No

<defaultFileCopyright>

Default file copyright text. If no copyright text is specified, NOASSERTION will be used The copyrightText field Identifies the copyright holder of the file, as well as any dates present. The text must much the copyright notice found in the file. The options to populate this field are limited to: (a) any text relating to a copyright notice, even if not complete; (b) NONE, if the file contains no license information whatsoever; or (c) NOASSERTION, if the SPDX creator has not examined the contents of the actual file or if the SPDX creator has intentionally provided no information(no meaning should be implied from the absence of an assertion).
  • Type: java.lang.String
  • Required: No
  • Default: NOASSERTION

<defaultFileLicenseComment>

Optional default file license comment. The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.
  • Type: java.lang.String
  • Required: No

<defaultFileNotice>

Optional default file notice text. This field provides a place for the SPDX file creator to record potential legal notices found in the file. This may or may not include copyright statements.
  • Type: java.lang.String
  • Required: No

<defaultLicenseInformationInFile>

Default license information in file. If no licenseInformationInFile is specified, NOASSERTION will be used This field contains the license information actually found in the file, if any. Any license information not actually in the file, e.g., “COPYING.txt” file in a toplevel directory, should not be reflected in this field. This information is most commonly found in the header of the file, although it may be in other areas of the actual file. The options to populate this field are limited to: (a) the SPDX License List short form identifier, if the license is on the SPDX License List; (b) a reference to the license, denoted by LicenseRef-#LicenseRef-[idString], if the license is not on the SPDX License List; (c) NONE, if the actual file contains no license information whatsoever; or (d) NOASSERTION, if the SPDX file creator has not examined the contents of the actual file or the SPDX file creator has intentionally provided no information (no meaning should be implied by doing so). For a license set, when there is a choice between licenses (“disjunctive license”), they should be separated with “or” and enclosed in brackets. Similarly when multiple licenses need to be applied (“conjunctive license”), they should be separated with “and” and enclosed in parentheses.
  • Type: java.lang.String
  • Required: No

<documentAnnotations>

Optional annotations for the SPDX document 
<configuration>
  <documentAnnotations>
    <documentAnnotation>
      <annotationComment>   </annotationComment>
      <annotationType>   </annotationType>
      <annotationDate>2023-06-29T18:30:22Z</annotationDate>
      <annotator>Person: ...</annotator>
    </documentAnnotation>
    <!-- ... more ... -->
  </documentAnnotations>
</configuration>

<documentComment>

An optional field for creators of the SPDX file content to provide comments to the consumers of the SPDX document.
  • Type: java.lang.String
  • Required: No

<externalReferences>

<configuration>
  <externalReferences>
    <externalReference>
      <category>   </category>
      <type>   </type>
      <locator>   </locator>
      <comment>   </comment>
    </externalReference>
    <!-- ... more ... -->
  </externalReferences>
</configuration>

<generatePurls>

If true, adds an external reference to every package with category "PACKAGE-MANAGER", type "purl" and locator "pkg:maven/${project.groupId}/${project.artifactId}@${project.version}".
  • Type: boolean
  • Required: No
  • User Property: spdx.generatePurls

<includeTransitiveDependencies>

If true, all transitive dependencies will be included in the SPDX document. If false, only direct dependencies will be included.
  • Type: boolean
  • Since: 0.6.3
  • Required: No
  • Default: true

<licenseComments>

This field provides a place for the SPDX file creator to record any general comments about the license.
  • Type: java.lang.String
  • Required: No

<licenseConcluded>

This field contains the license the SPDX file creator has concluded as governing the package or alternative values, if the governing license cannot be determined. If this field is not specified, the declared license value will be used for the concluded license. The format of the string follows the standard license string format for SPDX files (see the defaultFileConcludedLicense parameter for a full description).
  • Type: java.lang.String
  • Required: No

<licenseDeclared>

License declared by the originator for the package. If no license is specified, the license information in the project POM file will be mapped to a standard SPDX license if available. If a non-standard license is used, a NOASSERTION value will be used. The format of the string follows the standard license string format for SPDX files (see the defaultFileConcludedLicense parameter for a full description).
  • Type: java.lang.String
  • Required: No

<matchLicensesOnCrossReferenceUrls>

Optional parameter if set to true will match a Maven license to an SPDX standard license if the Maven license URL matches any of the cross-reference license URLs for a standard license. Default value is true. Note: Several SPDX standard licenses contain the same cross-reference license URL. In this case, the SPDX standard license used in indeterminate.
  • Type: boolean
  • Required: No
  • Default: true

<nonStandardLicenses>

Licenses which are not SPDX listed licenses referenced within the Maven SPDX plugin configuration. All non-standard licenses must be configured containing the required license ID and license text. 
<configuration>
  <nonStandardLicenses>
    <nonStandardLicense>
      <licenseId>LicenseRef-[idString]</licenseId> <!-- Required -->
      <extractedText>   </extractedText> <!-- Required -->
      <name>   </name>
      <comment>   </comment>
      <crossReference>
        <crossReference>https://...</crossReference>
      </crossReference>
    </nonStandardLicense>
    <!-- ... more ... -->
  </nonStandardLicenses>
</configuration>

<onlyUseLocalLicenses>

Configure whether only locally cached license list should be used. (a) If set to true, only locally cached version of license list is used. (b) otherwise, the license list is queried over the internet.
  • Type: boolean
  • Required: No

<originator>

The name and, optionally, contact information of the person or organization that originally created the package. Note that the supplier field of SPDX is filled in by the Organization in the POM. However, the originator may be different than the supplier (e.g. a Maven POM was build by organization X containing code originating from organization Y).

The default for this is the Maven organization

  • Type: java.lang.String
  • Required: No

<outputFormat>

Output file format for the SPDX file. One of: - JSON - JSON SPDX format - RDF/XML - RDF/XML format
  • Type: java.lang.String
  • Since: 0.6.0
  • Required: No
  • Default: JSON

<packageAnnotations>

Optional annotations for the package 
<configuration>
  <packageAnnotations>
    <packageAnnotation>
      <annotationComment>   </annotationComment>
      <annotationType>   </annotationType>
      <annotationDate>2023-06-29T18:30:22Z</annotationDate>
      <annotator>Person: ...</annotator>
    </packageAnnotation>
    <!-- ... more ... -->
  </packageAnnotations>
</configuration>

<pathsWithSpecificSpdxInfo>

File or directories which have SPDX information different from the project defaults. The fileOrDirectory field of the PathSpecificSpdxInfo is required. All files within the directory (or just the specific file) will use the SPDX data specified in the PathSpecificSpdxInfo parameters. All of the SPDX data parameters are optional. If any SPDX field is not specified, the project level default data will be used.

If a file or directory is nested within another pathsWithSpecificSpdxInfo, the lowest level values will be used. Note: in this case the non-specified SPDX fields for the lowest level PathSpecificSpdxInfo will use the default project level fields NOT the higher level PathSpecificSpdxInfo.

<configuration>
  <pathsWithSpecificSpdxInfo>
    <pathsWithSpecificSpdxInfo>
      <directoryOrFile>src/main/java/CommonCode.java</directoryOrFile>
      <fileComment>Comment for CommonCode</fileComment>
      <fileContributors>
        <fileContributor>Contributor to CommonCode</fileContributor>
        <!-- ... more ... -->
      </fileContributors>
      <fileCopyright>Common Code Copyright</fileCopyright>
      <fileLicenseComment>License Comment for Common Code</fileLicenseComment>
      <fileNotice>Notice for Commmon Code</fileNotice>
      <fileConcludedLicense>EPL-1.0</fileConcludedLicense>
      <licenseInformationInFile>ISC</licenseInformationInFile>
      <snippets>
        <snippet>
          <name>SnippetName</name>
          <comment>Snippet Comment</comment>
          <concludedLicense>BSD-2-Clause</concludedLicense>
          <lineRange>44:55</lineRange>
          <byteRange>1231:3442</byteRange>
          <licenseComment>Snippet License Comment</licenseComment>
          <copyrightText>Snippet Copyright Text</copyrightText>
          <licenseInfoInSnippet>BSD-2-Clause-FreeBSD</licenseInfoInSnippet>
        <!-- ... more ... -->
        </snippet>
      </snippets>
    </pathsWithSpecificSpdxInfo>
    <!-- ... more ... -->
  </pathsWithSpecificSpdxInfo>
</configuration>

<skip>

Skip goal execution.
  • Type: boolean
  • Since: 0.7.1
  • Required: No
  • User Property: spdx.skip

<sourceInfo>

This field provides a place for the SPDX file creator to record any relevant background information or additional comments about the origin of the package. For example, this field might include comments indicating whether the package been was pulled from a source code management system or has been repackaged.
  • Type: java.lang.String
  • Required: No

<spdxDocumentNamespace>

Document namespace - must be unique for the artifact and SPDX file
  • Type: java.lang.String
  • Required: No
  • Default: http://spdx.org/spdxpackages/${project.groupId}_${project.artifactId}-${project.version}

<spdxFile>

SPDX File name
  • Type: java.io.File
  • Required: No
  • User Property: spdxFileName
  • Default: ${project.reporting.outputDirectory}/${project.groupId}_${project.artifactId}-${project.version}.spdx

<useArtifactID>

If true, use ${project.groupId}:${artifactId} as the SPDX package name. Otherwise, ${project.name} will be used
  • Type: boolean
  • Required: No
  • User Property: spdx.useArtifactID