7 Package information section

If the SPDX information describes a package, the following fields shall be included per package.

7.1 Package name field

The existence of the Package name fields indicates the existence of package information in the SPDX information. Hence in order to describe package information, this field is mandatory.

7.1.1 Description

Identify the full name of the package as given by the Package Originator (7.6). The metadata for the package name field is shown in Table 13.

Table 13 — Metadata for the package name field

Attribute Value
Required Yes
Cardinality 1..1
Format Single line of text.

7.1.2 Intent

The name of each package is an important conventional technical identifier to be maintained for each package.

7.1.3 Examples

EXAMPLE 1 Tag: PackageName:

PackageName: glibc

EXAMPLE 2 RDF: Property spdx:name in class spdx:Package

<Package rdf:about="...">
    <name>glibc</name>
</Package>

7.2 Package SPDX identifier field

7.2.1 Description

Uniquely identify any element in an SPDX document which may be referenced by other elements. These may be referenced internally and externally with the addition of the SPDX document identifier. The metadata for the package SPDX identifier field is shown in Table 14.

Table 14 — Metadata for the package SPDX identifier field

Attribute Value
Required Yes
Cardinality 1..1
Format "SPDXRef-"[idstring]
where [idstring] is a unique string containing letters, numbers, ., and/or -.

7.2.2 Intent

There may be several versions of the same package within an SPDX document. Each element needs to be able to be referred to uniquely so that relationships between elements can be clearly articulated.

7.2.3 Examples

EXAMPLE 1 Tag: SPDXID:

SPDXID: SPDXRef-1

EXAMPLE 2 RDF: The URI for the element will follow the form:

[SPDX document namespace]#[SPDX identifier]

See 6.5 for the definition of the SPDX document namespace and 6.3 for the definition of the SPDX identifier

Using xml:base:

<rdf:RDF xml:base="http://acme.com/spdxdocs/acmeproj/v1.2/1BE2A4FF-5F1A-48D3-8483-28A9B0349A1B">
    ...
    <Package rdf:about="#SPDXRef-1">
    ...
    </Package>
</rdf:RDF>

Using document URI:

<Package rdf:about="http://acme.com/spdxdocs/acmeproj/v1.2/1BE2A4FF-5F1A-48D3-8483-28A9B0349A1B#SPDXRef-1">
    ...
</Package>

7.3 Package version field

7.3.1 Description

Identify the version of the package. The metadata for the package version field is shown in Table 15.

Table 15 — Metadata for the package version field

Attribute Value
Required No
Cardinality 0..1
Format Single line of text.

7.3.2 Intent

The versioning of a package is a useful for identification purposes and for indicating later changes of the package version.

7.3.3 Examples

EXAMPLE 1 Tag: PackageVersion:

PackageVersion: 2.11.1

EXAMPLE 2 RDF: Property spdx:versionInfo in class spdx:Package

<Package rdf:about="...">
    ...
    <versionInfo>2.11.1</versionInfo>
    ...
</Package>

7.4 Package file name field

7.4.1 Description

Provide the actual file name of the package, or path of the directory being treated as a package. This may include the packaging and compression methods used as part of the file name, if appropriate. The metadata for the package file name field is shown in Table 16.

Table 16 — Metadata for the package file name field

Attribute Value
Required No
Cardinality 0..1
Format Single line of text.

7.4.2 Intent

The actual file name of the compressed file containing the package may be a significant technical element that needs to be included with each package identification information. If a grouping, like a set of files in a sub-directory, is being treated as a package, the sub-directory name may be appropriate to provide. Sub-directory name is preceded with a ./. See RFC 3986 for syntax.

7.4.3 Examples

EXAMPLE 1 Tag: PackageFileName:

PackageFileName: glibc-2.11.1.tar.gz

Sub-directory being treated as a package:

PackageFileName: ./myrootdir/mysubdir1

EXAMPLE 2 RDF: Property spdx:packageFileName in class spdx:Package

<Package rdf:about="...">
    ...
    <packageFileName>glibc-2.11.1.tar.gz</packageFileName>
    ...
</Package>

Sub-directory being treated as a package:

<Package rdf:about="...">
   ...
   <packageFileName>./myrootdir/mysubdir1</packageFileName>
   ...
</Package>

7.5 Package supplier field

7.5.1 Description

Identify the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package. The name of the Package Supplier shall be an organization or recognized author and not a web site. For example, SourceForge is a host website, not a supplier, the supplier for https://sourceforge.net/projects/bridge/ is “The Linux Foundation.”

Use NOASSERTION if:

  • the SPDX document creator has attempted to but cannot reach a reasonable objective determination;

  • the SPDX document creator has made no attempt to determine this field; or

  • the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).

The metadata for the package supplier field is shown in Table 17.

Table 17 — Metadata for the package supplier field

Attribute Value
Required No
Cardinality 0..1
Format Single line of text with one of the following:
  • NOASSERTION
  • Person: person name and optional (<email>)
  • Organization: organization name and optional (<email>)

7.5.2 Intent

Assist with understanding the point of distribution for the code in the package. This field is vital for ensuring that downstream package recipients can address any ambiguity or concerns that might arise with the information in the SPDX document or the contents of the package it documents.

7.5.3 Examples

EXAMPLE 1 Tag: PackageSupplier:

PackageSupplier: Person: Jane Doe (jane.doe@example.com)

EXAMPLE 2 RDF: Property spdx:supplier in class spdx:Package

<Package rdf:about="...">
    ...
    <supplier>Person: Jane Doe (jane.doe@example.com)</supplier>
    ...
</Package>

7.6 Package originator field

7.6.1 Description

If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see 7.5 above), this field identifies from where or whom the package originally came. In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package. For example, the SPDX document identifies the package as glibc and the Package Supplier as Red Hat, but the Free Software Foundation is the Package Originator.

Use NOASSERTION if:

  • the SPDX document creator has attempted to but cannot reach a reasonable objective determination;

  • the SPDX document creator has made no attempt to determine this field; or

  • the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).

The metadata for the package originator field is shown in Table 18.

Table 18 — Metadata for the package originator field

Attribute Value
Required No
Cardinality 0..1
Format Single line of text with one of the following:
  • NOASSERTION
  • Person: person name and optional (<email>)
  • Organization: organization name and optional (<email>)

7.6.2 Intent

Assist with understanding the point of origin of the code in the package. This field is vital for understanding who originally distributed a package and should help in addressing any ambiguity or concerns that might arise with the information in the SPDX document or the contents of the Package it documents.

7.6.3 Examples

EXAMPLE 1 Tag: PackageOriginator:

PackageOriginator: Organization: ExampleCodeInspect (contact@example.com)

EXAMPLE 2 RDF: Property spdx:originator in class spdx:Package

<Package rdf:about="...">
    <originator>Organization: ExampleCodeInspect 
    (contact@example.com)</originator>
</Package>

7.7 Package download location field

7.7.1 Description

This section identifies the download Uniform Resource Locator (URL), or a specific location within a version control system (VCS) for the package at the time that the SPDX document was created.

Use:

  • NONE if there is no download location whatsoever.
  • NOASSERTION if:

    • the SPDX document creator has attempted to but cannot reach a reasonable objective determination;

    • the SPDX document creator has made no attempt to determine this field; or

    • the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).

The metadata for the package download location field is shown in Table 19.

Table 19 — Metadata for the package download location field

Attribute Value
Required Yes
Cardinality 1..1
Format Uniform resource locator | VCS location | NONE | NOASSERTION

For version-controlled files, a VCS location is similar to a URL and has the following syntax:

<vcs_tool>+<transport>://<host_name>[/<path_to_repository>][@<revision_tag_or_branch>][#<sub_path>]

For git, <revision_tag_or_branch> is a <rev> as described by gitrevisions(1). It is RECOMMENDED to use the unambiguous refs/heads/<branch> or refs/tags/<tag>, rather than only <branch> or <tag>, in order to prevent issues caused by shadowing. Formats that are local to the client (...@... and :[<n>:]<path>) or involve regular expressions (<rev>^{/<text>} and :/<text>) SHOULD NOT be used.

This VCS location compact notation (inspired and mostly adopted from pip as of 2015-02-20) supports referencing locations in version control systems such as Git, Mercurial, Subversion and Bazaar, and specifies the type of VCS tool using url prefixes: git+, hg+, bzr+, svn+ and specific transport schemes such as SSH or HTTPS.

Specifying sub-paths, branch names, a commit hash, a revision or a tag name is recommended, and supported using the @ delimiter for commits and the # delimiter for sub-paths.

Using user names and password in the <host_name> is not supported and should be considered as an error. User access control to URLs or VCS repositories shall be handled outside of an SPDX document.

In VCS location compact notations, the trailing slashes in <host_name>, <path_to_repository> are not significant. Leading and trailing slashes in <sub_path> are not significant.

7.7.2 Intent

Where and how to download the exact package being referenced is critical verification and tracking data.

7.7.3 Examples

EXAMPLE 1 Tag: PackageDownloadLocation:

If ambiguous:

PackageDownloadLocation: NOASSERTION
PackageDownloadLocation: NONE

For a plain URL:

PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz

For Git:

SPDX supported schemes are: git, git+git, git+https, git+http, and git+ssh. git and git+git are equivalent.

Here are the supported forms:

PackageDownloadLocation: git://git.myproject.org/MyProject
PackageDownloadLocation: git+https://git.myproject.org/MyProject.git
PackageDownloadLocation: git+http://git.myproject.org/MyProject
PackageDownloadLocation: git+ssh://git.myproject.org/MyProject.git
PackageDownloadLocation: git+git://git.myproject.org/MyProject
PackageDownloadLocation: git+git@git.myproject.org:MyProject

To specify a sub-path to a file or directory inside a repository use the # delimiter:

PackageDownloadLocation: git://git.myproject.org/MyProject#src/somefile.c
PackageDownloadLocation: git+https://git.myproject.org/MyProject#src/Class.java

To specify branch names, a commit hash or a tag name, use the @ delimiter:

PackageDownloadLocation: git://git.myproject.org/MyProject.git@master
PackageDownloadLocation: git+https://git.myproject.org/MyProject.git@v1.0
PackageDownloadLocation: git://git.myproject.org/MyProject.git@da39a3ee5e6b4b0d3255bfef95601890afd80709

Sub-paths and branch names or commit hash can be combined too:

PackageDownloadLocation: git+https://git.myproject.org/MyProject.git@master#/src/MyClass.cpp
PackageDownloadLocation: git+https://git.myproject.org/MyProject@da39a3ee5e6b4b0d3255bfef95601890afd80709#lib/variable.rb

For Mercurial:

SPDX supported schemes are: hg+http, hg+https, hg+static-http, and hg+ssh.

The supported forms are:

PackageDownloadLocation: hg+http://hg.myproject.org/MyProject
PackageDownloadLocation: hg+https://hg.myproject.org/MyProject
PackageDownloadLocation: hg+ssh://hg.myproject.org/MyProject

To specify a sub-path to a file or directory inside a repository use the # delimiter:

PackageDownloadLocation: hg+https://hg.myproject.org/MyProject#src/somefile.c
PackageDownloadLocation: hg+https://hg.myproject.org/MyProject#src/Class.java

To pass branch names, a commit hash, a tag name or a local branch name use the @ delimiter:

PackageDownloadLocation: hg+https://hg.myproject.org/MyProject@da39a3ee5e6b
PackageDownloadLocation: hg+https://hg.myproject.org/MyProject@2019
PackageDownloadLocation: hg+https://hg.myproject.org/MyProject@v1.0
PackageDownloadLocation: hg+https://hg.myproject.org/MyProject@special_feature

Sub-paths and branch names or commit hash can be combined too:

PackageDownloadLocation: hg+https://hg.myproject.org/MyProject@master#/src/MyClass.cpp
PackageDownloadLocation: hg+https://hg.myproject.org/MyProject@da39a3ee5e6b#lib/variable.rb

For Subversion:

SPDX supported schemes are: svn, svn+svn, svn+http, svn+https, svn+ssh. svn and svn+svn are equivalent.

The supported forms are:

PackageDownloadLocation: svn://svn.myproject.org/svn/MyProject
PackageDownloadLocation: svn+svn://svn.myproject.org/svn/MyProject
PackageDownloadLocation: svn+http://svn.myproject.org/svn/MyProject/trunk
PackageDownloadLocation: svn+https://svn.myproject.org/svn/MyProject/trunk

To specify a sub-path to a file or directory inside a repository use the # delimiter:

PackageDownloadLocation: svn+https://svn.myproject.org/MyProject#src/somefile.c
PackageDownloadLocation: svn+https://svn.myproject.org/MyProject#src/Class.java

This support is less important for SVN since the URL path can also contain sub-paths; this two forms are equivalent:

PackageDownloadLocation: svn+https://svn.myproject.org/MyProject/trunk#src/somefile.c
PackageDownloadLocation: svn+https://svn.myproject.org/MyProject/trunk/src/somefile.c

You can specify a revision using the @ delimiter:

PackageDownloadLocation: svn+https://svn.myproject.org/svn/MyProject/trunk@2019

Sub-paths and revisions can be combined too:

PackageDownloadLocation: svn+https://svn.myproject.org/MyProject@123#/src/MyClass.cpp
PackageDownloadLocation: svn+https://svn.myproject.org/MyProject/trunk@1234#lib/variable/variable.rb

For Bazaar:

SPDX supported schemes are: bzr+http, bzr+https, bzr+ssh, bzr+sftp, bzr+ftp, and bzr+lp.

The supported forms are:

PackageDownloadLocation: bzr+https://bzr.myproject.org/MyProject/trunk
PackageDownloadLocation: bzr+http://bzr.myproject.org/MyProject/trunk
PackageDownloadLocation: bzr+sftp://myproject.org/MyProject/trunk
PackageDownloadLocation: bzr+ssh://myproject.org/MyProject/trunk
PackageDownloadLocation: bzr+ftp://myproject.org/MyProject/trunk
PackageDownloadLocation: bzr+lp:MyProject

To specify a sub-path to a file or directory inside a repository use the # delimiter:

PackageDownloadLocation: bzr+https://bzr.myproject.org/MyProject/trunk#src/somefile.c
PackageDownloadLocation: bzr+https://bzr.myproject.org/MyProject/trunk#src/Class.java

You can specify a revision or tag using the @ delimiter:

PackageDownloadLocation: bzr+https://bzr.myproject.org/MyProject/trunk@2019
PackageDownloadLocation: bzr+http://bzr.myproject.org/MyProject/trunk@v1.0

Sub-paths and revisions can be combined too:

PackageDownloadLocation: bzr+https://bzr.myproject.org/MyProject/trunk@2019#src/somefile.c

EXAMPLE 2 RDF: Property spdx:downloadLocation in class spdx:Package

<Package rdf:about="...">
    <downloadLocation>http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz</downloadLocation>
</Package>
<Package rdf:about="...">
    <downloadLocation>
        git+https://git.myproject.org/MyProject.git@v10.0#src/lib.c
    </downloadLocation>
</Package>
<Package rdf:about="...">
    <downloadLocation rdf:resource="spdx:noassertion"/>
</Package>
<Package rdf:about="...">
    <downloadLocation rdf:resource="spdx:none"/>
</Package>

7.8 Files analyzed field

7.8.1 Description

Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false, indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If false, the package shall not contain any files. The metadata for the files analyzed field is shown in Table 20.

Table 20 — Metadata for the files analyzed field

Attribute Value
Required No. If omitted, the default value of true is assumed.
Cardinality 0..1
Format Boolean

7.8.2 Intent

A package can refer to a project, product, artifact, distribution or a component that is external to the SPDX document.

Some examples:

  1. A bundle of external products: Package A can be metadata about Packages and their dependencies. It may also be a loosely organized manifest of references to Packages involved in a product or project. Build or execution may transitively discover more Packages and dependencies. All of these referenced Packages can have their own SPDX documents. In this case, Package A may be defined with its File Analyzed attribute set to false. Package A includes External Document References to SPDX documents containing Packages referenced in all the available relationships. The Relationships section then relates the SPDX documents and contained SPDX elements with appropriate semantics per the dependencies in the scope of Package A.
  2. Package relation to external product: Package A can have a STATIC_LINK relationship to Package B, but the binary representation of Package B is furnished by the build process and thus not contained in the file list of Package A. In this case, Package B needs to be defined with its Files Analyzed attribute set to false and all the other attributes subject to the subsequently defined constraints. Then, the relationship between Package A and Package B can be documented as described in Clause 11.
  3. File derived from external product: Package A contains multiple files derived from an outside project. Rather than use the artifactOf* attributes (F.9-4.11) to describe the relation of these files to their project, the outside project can be represented by another package, Package B, whose FilesAnalyzed (7.8) attribute is set to false. Each of the binary files can then have a relationship to package B (Clause 10). This allows the outside project to be represented by a single SPDX identifier (the identifier of Package B). It also allows the relationship(s) between the outside project and each of the files be represented in much more detail.

7.8.3 Examples

EXAMPLE 1 Tag: FilesAnalyzed

FilesAnalyzed: false

EXAMPLE 2 RDF: Property spdx:filesAnalyzed in class spdx:Package

<Package rdf:about="...">
    ...
    <filesAnalyzed>false</filesAnalyzed>
    ...
</Package>

7.9 Package verification code field

7.9.1 Description

This field provides an independently reproducible mechanism identifying specific contents of a package based on the actual files (except the SPDX document itself, if it is included in the package) that make up each package and that correlates to the data in this SPDX document. This identifier enables a recipient to determine if any file in the original package (that the analysis was done on) has been changed and permits inclusion of an SPDX document as part of a package. The metadata for the package verification code field is shown in Table 21.

Table 21 — Metadata for the package verification code field

Attribute Value
Required Yes
Cardinality 0..1 if FilesAnalyzed (7.8) is true or omitted, 0..0 (must be omitted) if FilesAnalyzed is false.
Algorithm (see the algorithm below)
Format Single line of text with 160 bit binary represented as 40 lowercase hexadecimal digits

Algorithm

verificationcode = 0
filelist = templist = ""
for all files in the package {
    if file is an "excludes" file, skip it /* exclude SPDX analysis file(s) */

        append templist with "SHA1(file)/n"
    }
sort templist in ascending order by SHA1 value
filelist = templist with "/n"s removed. /* ordered sequence of SHA1 values with no separators */
verificationcode = SHA1(filelist)

Where SHA1(file) applies a SHA1 algorithm on the contents of file and returns the result in lowercase hexadecimal digits.

Required sort order: '0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f' (ASCII order)


7.9.2 Intent

Provide a unique identifier based on the files inside each package, eliminating confusion over which version or modification of a specific package the SPDX document refers to. This field also permits embedding the SPDX document within the package without altering the identifier.

7.9.3 Examples

EXAMPLE 1 Tag: PackageVerificationCode: (and optionally (excludes: FileName))

FileName is specified in 8.1.

PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)

EXAMPLE 2 RDF: Properties spdx:packageVerificationCodeValue, spdx:packageVerificationCodeExcludedFile in class spdx:PackageVerificationCode in class spdx:Package

<Package rdf:about="...">
    <packageVerificationCode>
        <PackageVerificationCode>
            <packageVerificationCodeValue>
                d6a770ba38583ed4bb4525bd96e50461655d2758
            </packageVerificationCodeValue>
            <packageVerificationCodeExcludedFile>
                ./package.spdx
            </packageVerificationCodeExcludedFile>
        </PackageVerificationCode>
    </packageVerificationCode>
</Package>

7.10 Package checksum field

7.10.1 Description

Provide an independently reproducible mechanism that permits unique identification of a specific package that correlates to the data in this SPDX document. This identifier enables a recipient to determine if any file in the original package has been changed. If the SPDX document is to be included in a package, this value should not be calculated. The SHA1 algorithm shall be used to provide the checksum by default. The metadata for the package checksum field is shown in Table 22.

Table 22 — Metadata for the package checksum field

Attribute Value
Required No
Cardinality 0..*
Algorithm Algorithms that can be used: SHA1, SHA224, SHA256, SHA384, SHA512, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, MD2, MD4, MD5, MD6, ADLER32
Format There are three components, an algorithm identifier (e.g. SHA1), a colon separator :, and a bit value represented as lowercase hexadecimal digits (appropriate as output to the algorithm).

7.10.2 Intent

Eliminate confusion over which version or modification of a specific package the SPDX document references by providing a unique identifier of the package.

7.10.3 Examples

EXAMPLE 1 Tag: PackageChecksum:

PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24

EXAMPLE 2 RDF: Properties spdx:algorithm, spdx:checksumValue in class spdx:checksum in class spdx:Package

<Package rdf:about="...">
    <checksum>
        <Checksum>
            <algorithm rdf:resource="spdx:checksumAlgorithm_sha1"/>
            <checksumValue>85ed0817af83a24ad8da68c2b5094de69833983c
            </checksumValue>
        </Checksum>
    </checksum>
    <checksum>
        <Checksum>
            <algorithm rdf:resource="spdx:checksumAlgorithm_sha256"/>
            <checksumValue>
                11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
            </checksumValue>
        </Checksum>
    </checksum>
    <checksum>
        <Checksum>
            <algorithm rdf:resource="spdx:checksumAlgorithm_md5"/>
            <checksumValue>624c1abb3664f4b35547e7c73864ad24</checksumValue>
        </Checksum>
    </checksum>
</Package>

7.11 Package home page field

7.11.1 Description

Provide a place for the SPDX document creator to record a web site that serves as the package's home page. This link can also be used to reference further information about the package referenced by the SPDX document creator.

Use:

  • NONE if there is no package home page whatsoever.
  • NOASSERTION if:

    • the SPDX document creator has attempted to but cannot reach a reasonable objective determination;

    • the SPDX document creator has made no attempt to determine this field; or

    • the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).

The metadata for the package home page field is shown in Table 23.

Table 23 — Metadata for the package home page field

Attribute Value
Required No
Cardinality 0..1
Format Uniform resource locator | NONE | NOASSERTION

7.11.2 Intent

Save the recipient of the SPDX document who is looking for more info from having to search for and verify a match between the package and the associated project homepage.

7.11.3 Examples

EXAMPLE 1 Tag: PackageHomePage:

PackageHomePage: http://ftp.gnu.org/gnu/glibc

EXAMPLE 2 RDF: Property doap:homepage in class spdx:Package

<Package rdf:about="...">
    <doap:homepage >http://ftp.gnu.org/gnu/glibc/</doap:homepage>
</Package>

This specification uses the prefix doap: to refer to the DOAP namespace:

http://usefulinc.com/ns/doap#

7.12 Source information field

7.12.1 Description

Provide a place for the SPDX document creator to record any relevant background information or additional comments about the origin of the package. For example, this field might include comments indicating whether the package was pulled from a source code management system or has been repackaged. The metadata for the source information field is shown in Table 24.

Table 24 — Metadata for the source information field

Attribute Value
Required No
Cardinality 0..1
Format Free form text that can span multiple lines.

In tag:value format this is delimited by <text>...</text>.

7.12.2 Intent

The SPDX document creator can provide additional information to describe any anomalies or discoveries in the determination of the origin of the package.

7.12.3 Examples

EXAMPLE 1 Tag: PackageSourceInfo:

PackageSourceInfo: <text>uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.</text>

EXAMPLE 2 RDF: Property spdx:sourceInfo in class spdx:Package

<Package rdf:about="...">
    ...
    <sourceInfo>uses glibc-2_11-branch from 
    git://sourceware.org/git/glibc.git.</sourceInfo>
    ...
</Package>

7.13 Concluded license field

7.13.1 Description

Contain the license the SPDX document creator has concluded as governing the package or alternative values, if the governing license cannot be determined.

The options to populate this field are limited to:

  • A valid SPDX License Expression as defined in Annex D;
  • NONE, if the SPDX document creator concludes there is no license available for this package; or
  • NOASSERTION if:

    • the SPDX document creator has attempted to but cannot reach a reasonable objective determination;

    • the SPDX document creator has made no attempt to determine this field; or

    • the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).

If the Concluded License is not the same as the Declared License (7.15), a written explanation should be provided in the Comments on License field (7.16). With respect to NOASSERTION, a written explanation in the Comments on License field (7.16) is preferred. If the Concluded License field is not present in a package, it implies an equivalent meaning to NOASSERTION.

The metadata for the concluded license field is shown in Table 25.

Table 25 — Metadata for the concluded license field

Attribute Value
Required No
Cardinality 0..1
Format <SPDX License Expression> | NONE | NOASSERTION
where:
<SPDX License Expression> is a valid SPDX License Expression as defined in Annex D.

7.13.2 Intent

Here, the intent is for the SPDX document creator to analyze the license information in package, and other objective information, e.g., COPYING file, together with the results from any scanning tools, to arrive at a reasonably objective conclusion as to what license governs the package.

7.13.3 Examples

EXAMPLE 1 Tag: PackageLicenseConcluded:

PackageLicenseConcluded: LGPL-2.0-only
PackageLicenseConcluded: (LGPL-2.0-only OR LicenseRef-3)

EXAMPLE 2 RDF: Property spdx:licenseConcluded in class spdx:Package

<Package rdf:about="...">
  ...
  <licenseConcluded rdf:resource="http://spdx.org/licenses/LGPL-2.0-only"/>
  ...
</Package>
<Package rdf:about="...">
  ...
  <licenseConcluded>
     <DisjunctiveLicenseSet>
        <member rdf:resource="http://spdx.org/licenses/LGPL-2.0-only" />
        <member rdf:resource="LicenseRef-3" />
     </DisjunctiveLicenseSet>
  </licenseConcluded>
    ...
</Package>

7.14 All licenses information from files field

7.14.1 Description

This field is to contain a list of all licenses found in the package. The relationship between licenses (i.e., conjunctive, disjunctive) is not specified in this field – it is simply a listing of all licenses found.

The options to populate this field are limited to:

  • A valid SPDX License Expression as defined in Annex D;
  • NONE, if no license information is detected in any of the files; or
  • NOASSERTION, if:

    • the SPDX document creator has made no attempt to determine this field; or
    • the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).

If the All Licenses Information from Files field is not present for a package and FilesAnalyzed field (7.8) for that same pacakge is true or omitted, it implies an equivalent meaning to NOASSERTION. The metadata for all license information from files field is shown in Table 26.

Table 26 — Metadata for the all licenses information from files field

Attribute Value
Required No
Cardinality 0..* (optional) if FilesAnalyzed (7.8) is true or omitted, 0..0 (must be omitted) if FilesAnalyzed is false.
Format <SPDX License Expression> | NONE | NOASSERTION
where:
<SPDX License Expression> is a valid SPDX License Expression as defined in Annex D.

7.14.2 Intent

Here, the intention is to capture all license information detected in the actual files.

7.14.3 Examples

EXAMPLE 1 Tag: PackageLicenseInfoFromFiles:

PackageLicenseInfoFromFiles: GPL-2.0-only
PackageLicenseInfoFromFiles: LicenseRef-1
PackageLicenseInfoFromFiles: LicenseRef-2

EXAMPLE 2 RDF: Property spdx:licenseInfoFromFiles in class spdx:Package

<Package rdf:about="...">
    ...
    <licenseInfoFromFiles rdf:resource
      ="https://spdx.org/licenses/GPL-2.0-only" />
    <licenseInfoFromFiles rdf:resource="#LicenseRef-1" />
    <licenseInfoFromFiles rdf:resource="#LicenseRef-2" />
    ...
</Package>

7.15 Declared license field

7.15.1 Description

List the licenses that have been declared by the authors of the package. Any license information that does not originate from the package authors, e.g. license information from a third-party repository, should not be included in this field.

The options to populate this field are limited to:

  • A valid SPDX License Expression as defined in Annex D;
  • NONE, if the package contains no license information whatsoever; or
  • NOASSERTION if:

    • the SPDX document creator has made no attempt to determine this field; or

    • the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).

If the Declared License field is not present for a package, it implies an equivalent meaning to NOASSERTION. The metadata for the declared license field is shown in Table 27.

Table 27 — Metadata for the declared license field

Attribute Value
Required No
Cardinality 0..1
Format <SPDX License Expression> | NONE | NOASSERTION
where:
  • <SPDX License Expression> is a valid SPDX License Expression as defined in Annex D.

7.15.2 Intent

This is simply the license identified in text in one or more files (for example COPYING file) in the source code package. This field is not intended to capture license information obtained from an external source, such as the package website. Such information can be included in Concluded License (7.13). This field may have multiple Declared Licenses, if multiple licenses are declared at the package level.

7.15.3 Examples

EXAMPLE 1 Tag: PackageLicenseDeclared:

PackageLicenseDeclared: LGPL-2.0-only
PackageLicenseDeclared: (LGPL-2.0-only AND LicenseRef-3)

EXAMPLE 2 RDF: Property spdx:licenseDeclared in class spdx:Package

<Package rdf:about="...">
  ...
  <licenseDeclared rdf:resource="http://spdx.org/licenses/LGPL-2.0-only"/>
  ...
</Package>
<Package rdf:about="...">
  ...
  <licenseDeclared>
     <ConjunctiveLicenseSet>
        <member rdf:resource="http://spdx.org/licenses/LGPL-2.0-only"/>
        <member rdf:resource="#LicenseRef-3" />
     </ConjunctiveLicenseSet>
  </licenseDeclared>
    ...
</Package>

7.16 Comments on license field

7.16.1 Description

This field provides a place for the SPDX document creator to record any relevant background information or analysis that went in to arriving at the Concluded License for a package. If the Concluded License does not match the Declared License or License Information from Files, this should be explained by the SPDX document creator. It is also preferable to include an explanation here when the Concluded License is NOASSERTION. The metadata for the comments on license field is shown in Table 28.

Table 28 — Metadata for the comments on license field

Attribute Value
Required No
Cardinality 0..1
Format Free form text that can span multiple lines.

In tag:value format this is delimited by <text>...</text>.

7.16.2 Intent

Here, the intent is to provide the recipient of the SPDX document with a detailed explanation of how the Concluded License was determined if it does not match the License Information from the files or the source code package, is marked NOASSERTION, or other helpful information relevant to determining the license of the package.

7.16.3 Examples

EXAMPLE 1 Tag: PackageLicenseComments:

PackageLicenseComments: <text>The license for this project changed with
the release of version 1.4. The version of the project included here
post-dates the license change.</text>

EXAMPLE 2 RDF: Property spdx:licenseComments in class spdx:Package

<Package rdf:about="...">
    ...
    <licenseComments>
        This package has been shipped in source and binary form.
        The binaries were created with gcc 4.5.1 and expect to link to
        compatible system run time libraries.
    </licenseComments>
    ...
</Package>

7.17.1 Description

Identify the copyright holders of the package, as well as any dates present. This will be a free form text field extracted from package information files. The options to populate this field are limited to:

  • Any text related to a copyright notice, even if not complete;
  • NONE if the package contains no copyright information whatsoever; or
  • NOASSERTION, if

    • the SPDX document creator has made no attempt to determine this field; or

    • the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).

If the Copyright Text field is not present for a package, it implies an equivalent meaning to NOASSERTION. The metadata for the copyright text field is shown in Table 29.

Table 29 — Metadata for the copyright text field

Attribute Value
Required No
Cardinality 0..1
Format Free form text that can span multiple lines | NONE | NOASSERTION

7.17.2 Intent

Record any copyright notices for the package.

7.17.3 Examples

EXAMPLE 1 Tag: PackageCopyrightText:

In tag:value format multiple lines are delimited by <text>...</text>.

PackageCopyrightText: <text>Copyright 2008-2010 John Smith</text>

EXAMPLE 2 RDF: Property spdx:copyrightText in class spdx:Package

<Package rdf:about="...">
    ...
    <copyrightText>Copyright 2008-2010 John Smith</copyrightText>
    ...
</Package>

7.18 Package summary description field

7.18.1 Description

This field is a short description of the package. The metadata for the package summary description field is shown in Table 30.

Table 30 — Metadata for the package summary description field

Attribute Value
Required No
Cardinality 0..1
Format Free form text that can span multiple lines.

7.18.2 Intent

Here, the intent is to allow the SPDX document creator to provide concise information about the function or use of the package without having to parse the source code of the actual package.

7.18.3 Examples

EXAMPLE 1 Tag: PackageSummary:

In tag:value format multiple lines are delimited by <text>...</text>.

PackageSummary: <text>GNU C library.</text>

EXAMPLE 2 RDF: Property spdx:summary in class spdx:Package

<Package rdf:about="...">
    ...
    <summary>GNU C library.</summary>
    ...
</Package>

7.19 Package detailed description field

7.19.1 Description

This field is a more detailed description of the package. It may also be extracted from the packages itself. The metadata for the package detailed description field is shown in Table 31.

Table 31 — Metadata for the package detailed description field

Attribute Value
Required No
Cardinality 0..1
Format Free form text than can span multiple lines.

7.19.2 Intent

Here, the intent is to provide recipients of the SPDX document with a detailed technical explanation of the functionality, anticipated use, and anticipated implementation of the package. This field may also include a description of improvements over prior versions of the package.

7.19.3 Examples

EXAMPLE 1 Tag: PackageDescription:

In tag:value format multiple lines are delimited by <text>...</text>.

PackageDescription: <text>The GNU C Library defines functions that are
specified by the ISO C standard, as well as additional features
specific to POSIX and other derivatives of the Unix operating system,
and extensions specific to GNU systems.</text>

EXAMPLE 2 RDF: Property spdx:description in class spdx:Package

<Package rdf:about="...">
  ...
  <description>
    The GNU C Library defines functions that are specified by the
    ISO C standard, as well as additional features specific to POSIX and
    other derivatives of the Unix operating system, and extensions
    specific to GNU systems.
  </description>
    ...
</Package>

7.20 Package comment field

7.20.1 Description

This field provides a place for the SPDX document creator to record any general comments about the package being described. The metadata for the package comment field is shown in Table 32.

Table 32 — Metadata for the package comment field

Attribute Value
Required No
Cardinality 0..1
Format Free form text that can span multiple lines.

7.20.2 Intent

Here, the intent is to provide the recipient of the SPDX document with more information determined after careful analysis of a package.

7.20.3 Examples

EXAMPLE 1 Tag: PackageComment:

In tag:value format multiple lines are delimited by <text>...</text>.

PackageComment: <text>The package includes several sub-packages; see Relationship
information.</text>

EXAMPLE 2 RDF: Property rdfs:comment in class spdx:Package

<Package rdf:about="...">
  ...
  <rdfs:comment>
    The package includes several sub-packages; see Relationship information.
  </rdfs:comment>
  ...
</Package>

7.21 External reference field

7.21.1 Description

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package. The metadata for the external reference field is shown in Table 33.

Table 33 — Metadata for the external reference field

Attribute Value
Required No
Cardinality 0..*
Format <category> <type> <locator>
where:
  • <category> is SECURITY | PACKAGE-MANAGER | PERSISTENT-ID | OTHER
  • <type> is one of the types listed in Annex F.
  • <locator> is the unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location. The format of the locator is subject to constraints defined by the <type>.

7.21.2 Intent

To indicate an outside source of information, metadata enumerations, asset identifiers, or content relevant to the Package, such as a structured naming scheme identifying Packages with known security vulnerabilities.

7.21.3 Examples

EXAMPLE 1 Tag: ExternalRef:

ExternalRef: SECURITY cpe23Type cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*
ExternalRef: PERSISTENT-ID swh swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2
ExternalRef: OTHER LocationRef-acmeforge acmecorp/acmenator/4.1.3-alpha

EXAMPLE 2 RDF: Property externalRef in class spdx:Package of type spdx:ExternalRef

For a listed location:

<spdx:Package rdf:about="...">
    ...
    <spdx:externalRef>
        <spdx:ExternalRef>
            <spdx:referenceCategory rdf:resource
              ="spdx:referenceCategory_packageManager" />
            <spdx:referenceType rdf:resource
              ="http://spdx.org/rdf/refeferences/maven-central" />
            <spdx:referenceLocator>org.apache.commons:commons-lang:3.2.1
            </spdx:referenceLocator>
        </spdx:ExternalRef>
    </spdx:externalRef>
    ...
</spdx:package>

For an unlisted location:

<spdx:Package rdf:about="...">
    ...
    <spdx:externalRef>
        <spdx:ExternalRef>
            <spdx:referenceCategory rdf:resource="spdx:referenceCategory_other" />
            <spdx:referenceType rdf:resource="http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82...LocationRef-acmeforge" />
            <spdx:referenceLocator>acmecorp/acmenator/4.1.3-alpha</spdx:referenceLocator>
        </spdx:ExternalRef>
    </spdx:externalRef>
    ...
</spdx:package>

The referenceType value for a non-listed location consists of the SPDX document namespace (see 6.5) followed by a # and the category as defined in 7.21.

7.22 External reference comment field

7.22.1 Description

To provide human-readable information about the purpose and target of the reference. The metadata for the external reference comment field is shown in Table 34.

Table 34 — Metadata for the external reference comment field

Attribute Value
Required No
Cardinality 0..1 for each External Reference (7.21)
Format Free form text that can span multiple lines.

In tag:value format this is delimited by <text>...</text> and is expected to follow an External Reference (7.21) so that the association can be made.

7.22.2 Intent

To inform a human consumer why the reference exists, what kind of information, content or metadata can be extracted. The target's relationship to artifactOf values of files in the package might need to be explained here. If the reference is BINARY, its relationship to PackageDownloadLocation might need to be explained. If the reference is SOURCE, its relationship to PackageDownloadLocation and SourceInformation might need to be explained.

7.22.3 Examples

EXAMPLE 1 Tag: ExternalRefComment:

ExternalRefComment: <text>NIST National Vulnerability Database (NVD)
describes security vulnerabilities (CVEs) which affect Vendor Product
Version acmecorp:acmenator:6.6.6.</text>

EXAMPLE 2 RDF: Property rdfs:comment in class spdx:ExternalRef

<spdx:Package rdf:about="...">
    ...
    <spdx:externalRef>
        <spdx:ExternalRef>
            <spdx:referenceCategory rdf:resource
              ="spdx:referenceCategory_packageManager" />
            <spdx:referenceType rdf:resource
              ="http://spdx.org/rdf/refeferences/maven-central" />
            <spdx:referenceLocator>org.apache.commons:commons-lang:3.2.1
            </spdx:referenceLocator>
            <rdfs:comment>
              NIST National Vulnerability Database (NVD) describes
              security vulnerabilities (CVEs) which affect Vendor Product
              Version acmecorp:acmenator:6.6.6
            </rdfs:comment>
        </spdx:ExternalRef>
    </spdx:externalRef>
    ...
</spdx:package>

7.23 Package attribution text field

7.23.1 Description

This field provides a place for the SPDX document creator to record, at the package level, acknowledgements that might be required to be communicated in some contexts. This is not meant to include the package's actual complete license text (see PackageLicenseConcluded, PackageLicenseDeclared and PackageLicenseInfoFromFiles), and might or might not include copyright notices (see also PackageCopyrightText). The SPDX document creator might use this field to record other acknowledgements, such as particular clauses from license texts, which might be necessary or desirable to reproduce. The metadata for the package attribution text field is shown in Table 35.

Table 35 — Metadata for the package attribution text field

Attribute Value
Required No
Cardinality 0..*
Format Free form text that can span multiple lines.

7.23.2 Intent

The intent is to provide the recipient of the SPDX document with acknowledgement content at a package level, to assist redistributors of the package with reproducing those acknowledgements. This field does not necessarily indicate where, or in which contexts, the acknowledgements need to be reproduced (such as end-user documentation, advertising materials, etc.) and the SPDX document creator might or might not explain elsewhere how they intend for this field to be used.

7.23.3 Examples

EXAMPLE 1 Tag: PackageAttributionText:

In tag:value format multiple lines are delimited by <text> .. </text>.

PackageAttributionText: <text>
All advertising materials mentioning features or use of this software
must display the following acknowledgement:  This product includes
software developed by the AT&T.
</text>

EXAMPLE 2 RDF: Property spdx:attributionText in class spdx:Package

<Package rdf:about="...">
    <attributionText>
        All advertising materials mentioning features or use of this
        software must display the following acknowledgement:  This 
        product includes software developed by the AT&T.
    </attributionText>
</Package>

7.24 Primary Package Purpose field

7.24.1 Description

This field provides information about the primary purpose of the identified package. Package Purpose is intrinsic to how the package is being used rather than the content of the package. The options to populated this field are limited to:

APPLICATION if the package is a software application; FRAMEWORK if the package is a software framework; LIBRARY if the package is a software library; CONTAINER if the package refers to a container image which can be used by a container runtime application; OPERATING-SYSTEM if the package refers to an operating system; DEVICE if the package refers to a chipset, processor, or electronic board; FIRMWARE if the package provides low level control over a device's hardware; SOURCE if the package is a collection of source files; ARCHIVE if the package refers to an archived collection of files (.tar, .zip, etc); FILE if the package is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc); INSTALL if the package is used to install software on disk; OTHER if the package doesn't fit into the above categories.

The metadata for the Primary Package Purpose field is shown in Table 36.

Table 36 — Metadata for the primary package purpose field

Attribute Value
Required No
Cardinality 0..*
Format APPLICATION | FRAMEWORK | LIBRARY | CONTAINER | OPERATING-SYSTEM | DEVICE | FIRMWARE | SOURCE | ARCHIVE | FILE | INSTALL \|OTHER` |

7.24.2 Intent

This field is a reasonable estimate of the most likely package usage from the producer and consumer perspective from which both parties can draw conclusions about the context in which the package exists.

7.24.3 Examples

EXAMPLE 1 Tag: PrimaryPackagePurpose:

PrimaryPackagePurpose: FRAMEWORK

EXAMPLE 2 RDF: Property spdx:purpose in class spdx:Package

<Package rdf:about="cluster-api">
    <primaryPackagePurpose rdf:resource="packagePurpose_container" />
</Package>

7.25 Release Date

7.25.1 Description

This field provides a place for recording the date the package was released.

Table 37 — Metadata for the release date

Attribute Value
Required No
Cardinality 0..1
Format YYYY-MM-DDThh:mm:ssZ
where:
  • YYYY is year
  • MM is month with leading zero
  • DD is day with leading zero
  • T is delimiter for time
  • hh is hours with leading zero in 24 hour time
  • mm is minutes with leading zero
  • ss is seconds with leading zero
  • Z is universal time indicator

7.25.2 Intent

The release date is helpful for strict identification of the prerequisite assumptions of usage.

7.25.3 Examples

EXAMPLE 1 Tag: ReleaseDate:

ReleaseDate: 2010-01-29T18:30:22Z

EXAMPLE 2 RDF: Property spdx:releaseDate in class spdx:Package

<Package rdf:about="...">
    <releaseDate> 2010-01-29T18:30:22Z </releaseDate>
</Package>

7.26 Built Date

7.26.1 Description

This field provides a place for recording the actual date the package was built.

Table 38 — Metadata for the built date

Attribute Value
Required No
Cardinality 0..1
Format YYYY-MM-DDThh:mm:ssZ
where:
  • YYYY is year
  • MM is month with leading zero
  • DD is day with leading zero
  • T is delimiter for time
  • hh is hours with leading zero in 24 hour time
  • mm is minutes with leading zero
  • ss is seconds with leading zero
  • Z is universal time indicator

7.26.2 Intent

The date when the package was built is helpful for strict identification of the prerequisite assumptions of usage.
Ideally it should be recorded from build system tools directly or the creation date of the package itself.

7.26.3 Examples

EXAMPLE 1 Tag: BuiltDate:

BuiltDate: 2010-01-29T18:30:22Z

EXAMPLE 2 RDF: Property spdx:builtDate in class spdx:Package

<Package rdf:about="...">
    <builtDate> 2010-01-29T18:30:22Z </builtDate>
</Package>

7.27 Valid Until Date

7.27.1 Description

This field provides a place for recording the end of the support period for a package from the supplier.

Table 39 — Metadata for the valid until date

Attribute Value
Required No
Cardinality 0..1
Format YYYY-MM-DDThh:mm:ssZ
where:
  • YYYY is year
  • MM is month with leading zero
  • DD is day with leading zero
  • T is delimiter for time
  • hh is hours with leading zero in 24 hour time
  • mm is minutes with leading zero
  • ss is seconds with leading zero
  • Z is universal time indicator

7.27.2 Intent

The date when support for the package ends from the supplier. Usage is considered valid until this date.

7.27.3 Examples

EXAMPLE 1 Tag: ValidUntilDate:

ValidUntilDate: 2030-12-30T18:00:00Z

EXAMPLE 2 RDF: Property spdx:validUntilDate in class spdx:Package

<Package rdf:about="...">
    <validUntilDate> 2030-12-30T18:00:00Z </validUntilDate>
</Package>