new file mode 100644
@@ -0,0 +1,1284 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+inherit spdx-common
+
+SPDX_VERSION = "3.0.0"
+
+# The list of SPDX profiles generated documents will conform to
+SPDX_PROFILES ?= "core build software simpleLicensing security"
+
+SPDX_INCLUDE_BUILD_VARIABLES ??= "0"
+SPDX_INCLUDE_BUILD_VARIABLES[doc] = "If set to '1', the bitbake variables for a \
+ recipe will be included in the Build object"
+
+SPDX_IMPORTS ??= ""
+SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \
+ reference external SPDX ids. Each import is defined as a key in this \
+ variable with a suffix to describe to as a suffix to look up more \
+ information about the import. Each key can have the following variables: \
+ SPDX_IMPORTS_<key>_spdxid: The Fully qualified SPDX ID of the object \
+ SPDX_IMPORTS_<key>_uri: The URI where the SPDX Document that contains \
+ the external object can be found. Optional but recommended \
+ SPDX_IMPORTS_<key>_hash_<hash>: The Checksum of the SPDX Document that \
+ contains the External ID. <hash> must be one the valid SPDX hashing \
+ algorithms, as described by the HashAlgorithm vocabulary in the\
+ SPDX 3 spec. Optional but recommended \
+"
+
+# Agents
+# Bitbake variables can be used to describe an SPDX Agent that may be used
+# during the build. An Agent is specified using a set of variables which all
+# start with some common base name:
+#
+# <BASE>_name: The name of the Agent (required)
+# <BASE>_type: The type of Agent. Must be one of "person", "organization",
+# "software", or "agent" (the default if not specified)
+# <BASE>_comment: The comment for the Agent (optional)
+# <BASE>_id_<ID>: And External Identifier for the Agent. <ID> must be a valid
+# ExternalIdentifierType from the SPDX 3 spec. Commonly, an E-mail address
+# can be specified with <BASE>_id_email
+#
+# Alternatively, an Agent can be an external reference by referencing a key
+# in SPDX_IMPORTS like so:
+#
+# <BASE>_import = "<key>"
+#
+# Finally, the same agent described by another set of agent variables can be
+# referenced by specifying the basename of the variable that should be
+# referenced:
+#
+# SPDX_SUPPLIER_ref = "SPDX_AUTHORS_openembedded"
+
+SPDX_AUTHORS ??= "openembedded"
+SPDX_AUTHORS[doc] = "A space separated list of the document authors. Each item \
+ is used to name a base variable like SPDX_AUTHORS_<AUTHOR> that \
+ describes the author."
+
+SPDX_AUTHORS_openembedded_name = "OpenEmbedded"
+SPDX_AUTHORS_openembedded_type = "organization"
+
+SPDX_BUILD_HOST[doc] = "The base variable name to describe the build host on \
+ which a build is running. Must be an SPDX_IMPORTS key"
+
+SPDX_INVOKED_BY[doc] = "The base variable name to describe the Agent that \
+ invoked the build, which builds will link to if specified."
+
+SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's \
+ behalf the invoking Agent (SPDX_INVOKED_BY) is running the build."
+
+SPDX_SUPPLIER[doc] = "The base variable name to describe the Agent who is supplying \
+ artifacts produced by the build"
+
+SPDX_PACKAGE_ADDITIONAL_PURPOSE ?= ""
+SPDX_PACKAGE_ADDITIONAL_PURPOSE[doc] = "The list of additional purposes to assign to \
+ the generated packages for a recipe. The primary purpose is always `install`. \
+ Packages overrides are allowed to override the additional purposes for \
+ individual packages."
+
+SPDX_IMAGE_PURPOSE ?= "filesystemImage"
+SPDX_IMAGE_PURPOSE[doc] = "The list of purposes to assign to the generated images. \
+ The first listed item will be the Primary Purpose and all additional items will \
+ be added as additional purposes"
+
+SPDX_SDK_PURPOSE ?= "install"
+SPDX_SDK_PURPOSE[doc] = "The list of purposes to assign to the generate SDK installer. \
+ The first listed item will be the Primary Purpose and all additional items will \
+ be added as additional purposes"
+
+SPDX_HASH_ALGORITHMS ?= "sha256 sha1"
+
+
+def add_license_expression(d, objset, license_expression):
+ from pathlib import Path
+ import oe.spdx30
+ import oe.sbom30
+
+ license_data = d.getVar("SPDX_LICENSE_DATA")
+ simple_license_text = {}
+ license_text_map = {}
+ license_ref_idx = 0
+
+ def add_license_text(name):
+ nonlocal objset
+ nonlocal simple_license_text
+
+ if name in simple_license_text:
+ return name
+
+ lic = objset.find_filter(
+ oe.spdx30.simplelicensing_SimpleLicensingText,
+ name=name,
+ )
+
+ if lic is not None:
+ simple_license_text[name] = lic
+ return lic
+
+ lic = objset.add(oe.spdx30.simplelicensing_SimpleLicensingText(
+ _id=objset.new_spdxid("license-text", name),
+ creationInfo=objset.doc.creationInfo,
+ name=name,
+ ))
+ simple_license_text[name] = lic
+
+ if name == "PD":
+ lic.simplelicensing_licenseText = "Software released to the public domain"
+ return lic
+
+ # Seach for the license in COMMON_LICENSE_DIR and LICENSE_PATH
+ for directory in [d.getVar('COMMON_LICENSE_DIR')] + (d.getVar('LICENSE_PATH') or '').split():
+ try:
+ with (Path(directory) / name).open(errors="replace") as f:
+ lic.simplelicensing_licenseText = f.read()
+ return lic
+
+ except FileNotFoundError:
+ pass
+
+ # If it's not SPDX or PD, then NO_GENERIC_LICENSE must be set
+ filename = d.getVarFlag('NO_GENERIC_LICENSE', name)
+ if filename:
+ filename = d.expand("${S}/" + filename)
+ with open(filename, errors="replace") as f:
+ lic.simplelicensing_licenseText = f.read()
+ return lic
+ else:
+ bb.fatal("Cannot find any text for license %s" % name)
+
+ def convert(l):
+ nonlocal license_text_map
+ nonlocal license_ref_idx
+
+ if l == "(" or l == ")":
+ return l
+
+ if l == "&":
+ return "AND"
+
+ if l == "|":
+ return "OR"
+
+ if l == "CLOSED":
+ return "NONE"
+
+ spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l
+ if spdx_license in license_data["licenses"]:
+ return spdx_license
+
+ spdx_license = "LicenseRef-" + l
+ license_text_map[spdx_license] = add_license_text(l)._id
+
+ return spdx_license
+
+ lic_split = license_expression.replace("(", " ( ").replace(")", " ) ").replace("|", " | ").replace("&", " & ").split()
+ spdx_license_expression = ' '.join(convert(l) for l in lic_split)
+
+ return objset.new_license_expression(spdx_license_expression, license_text_map)
+
+
+def add_package_files(d, objset, topdir, get_spdxid, get_purposes, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
+ from pathlib import Path
+ import oe.spdx30
+ import oe.sbom30
+
+ license_cache = {}
+
+ source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
+ if source_date_epoch:
+ source_date_epoch = int(source_date_epoch)
+
+ spdx_files = set()
+
+ file_counter = 1
+ for subdir, dirs, files in os.walk(topdir):
+ dirs[:] = [d for d in dirs if d not in ignore_dirs]
+ if subdir == str(topdir):
+ dirs[:] = [d for d in dirs if d not in ignore_top_level_dirs]
+
+ for file in files:
+ filepath = Path(subdir) / file
+ if filepath.is_symlink() or not filepath.is_file():
+ continue
+
+ filename = str(filepath.relative_to(topdir))
+
+ spdx_file = oe.spdx30.software_File(
+ _id=get_spdxid(file_counter),
+ creationInfo=objset.doc.creationInfo,
+ name=filename,
+ )
+
+ file_purposes = get_purposes(filepath)
+ is_source = oe.spdx30.software_SoftwarePurpose.source in file_purposes
+ if file_purposes:
+ spdx_file.software_primaryPurpose = file_purposes[0]
+ spdx_file.software_additionalPurpose = file_purposes[1:]
+
+ objset.add(spdx_file)
+ spdx_files.add(spdx_file)
+
+ if archive is not None:
+ with filepath.open("rb") as f:
+ info = archive.gettarinfo(fileobj=f)
+ info.name = filename
+ info.uid = 0
+ info.gid = 0
+ info.uname = "root"
+ info.gname = "root"
+
+ if source_date_epoch is not None and info.mtime > source_date_epoch:
+ info.mtime = source_date_epoch
+
+ archive.addfile(info, f)
+
+ spdx_file.verifiedUsing.append(
+ oe.spdx30.Hash(
+ algorithm=oe.spdx30.HashAlgorithm.sha1,
+ hashValue=bb.utils.sha1_file(filepath),
+ )
+ )
+
+ spdx_file.verifiedUsing.append(
+ oe.spdx30.Hash(
+ algorithm=oe.spdx30.HashAlgorithm.sha256,
+ hashValue=bb.utils.sha256_file(filepath),
+ )
+ )
+
+ bb.debug(1, "Adding file %s to %s" % (filepath, objset.doc._id))
+
+ if is_source:
+ file_licenses = set()
+ for extracted_lic in extract_licenses(filepath):
+ file_licenses.add(objset.new_license_expression(extracted_lic))
+
+ if file_licenses:
+ objset.new_relationship(
+ [spdx_file],
+ oe.spdx30.RelationshipType.hasDeclaredLicense,
+ file_licenses
+ )
+
+ file_counter += 1
+
+ return spdx_files
+
+
+def get_package_sources_from_debug(d, package, package_files, sources, source_hash_cache):
+ from pathlib import Path
+ import oe.packagedata
+
+ debug_search_paths = [
+ Path(d.getVar('PKGD')),
+ Path(d.getVar('STAGING_DIR_TARGET')),
+ Path(d.getVar('STAGING_DIR_NATIVE')),
+ Path(d.getVar('STAGING_KERNEL_DIR')),
+ ]
+
+ pkg_data = oe.packagedata.read_subpkgdata_extended(package, d)
+
+ if pkg_data is None:
+ return
+
+ dep_source_files = set()
+
+ for file_path, file_data in pkg_data["files_info"].items():
+ if not "debugsrc" in file_data:
+ continue
+
+ for pkg_file in package_files:
+ if file_path.lstrip("/") == pkg_file.name.lstrip("/"):
+ break
+ else:
+ bb.fatal("No package file found for %s in %s; SPDX found: %s" % (str(file_path), package,
+ " ".join(p.name for p in package_files)))
+ continue
+
+ for debugsrc in file_data["debugsrc"]:
+ for search in debug_search_paths:
+ if debugsrc.startswith("/usr/src/kernel"):
+ debugsrc_path = search / debugsrc.replace('/usr/src/kernel/', '')
+ else:
+ debugsrc_path = search / debugsrc.lstrip("/")
+
+ if debugsrc_path in source_hash_cache:
+ file_sha256 = source_hash_cache[debugsrc_path]
+ if file_sha256 is None:
+ continue
+ else:
+ if not debugsrc_path.exists():
+ source_hash_cache[debugsrc_path] = None
+ continue
+
+ file_sha256 = bb.utils.sha256_file(debugsrc_path)
+ source_hash_cache[debugsrc_path] = file_sha256
+
+ if file_sha256 in sources:
+ source_file = sources[file_sha256]
+ dep_source_files.add(source_file)
+ else:
+ bb.debug(1, "Debug source %s with SHA256 %s not found in any dependency" % (str(debugsrc_path), file_sha256))
+ break
+ else:
+ bb.debug(1, "Debug source %s not found" % debugsrc)
+
+ return dep_source_files
+
+get_package_sources_from_debug[vardepsexclude] += "STAGING_KERNEL_DIR"
+
+def collect_dep_objsets(d, build):
+ import json
+ from pathlib import Path
+ import oe.sbom30
+ import oe.spdx30
+
+ deps = get_spdx_deps(d)
+
+ dep_objsets = []
+ dep_builds = set()
+
+ dep_build_spdxids = set()
+ for dep_pn, _, in_taskhash in deps:
+ bb.debug(1, "Fetching SPDX for dependency %s" % (dep_pn))
+ dep_build, dep_objset = oe.sbom30.find_root_obj_in_jsonld(d, "recipes", dep_pn, oe.spdx30.build_Build)
+ # If the dependency is part of the taskhash, return it to be linked
+ # against. Otherwise, it cannot be linked against because this recipe
+ # will not rebuilt if dependency changes
+ if in_taskhash:
+ dep_objsets.append(dep_objset)
+
+ # The build _can_ be linked against (by alias)
+ dep_builds.add(dep_build)
+
+ return dep_objsets, dep_builds
+
+collect_dep_objsets[vardepsexclude] = "SSTATE_ARCHS"
+
+def collect_dep_sources(dep_objsets):
+ import oe.spdx30
+ import oe.sbom30
+
+ sources = {}
+ for objset in dep_objsets:
+ # Don't collect sources from native recipes as they
+ # match non-native sources also.
+ if objset.is_native():
+ continue
+
+ bb.debug(1, "Fetching Sources for dependency %s" % (objset.doc.name))
+
+ dep_build = objset.find_root(oe.spdx30.build_Build)
+ if not dep_build:
+ bb.fatal("Unable to find a build")
+
+ for e in objset.foreach_type(oe.spdx30.Relationship):
+ if dep_build is not e.from_:
+ continue
+
+ if e.relationshipType != oe.spdx30.RelationshipType.hasInputs:
+ continue
+
+ for to in e.to:
+ if not isinstance(to, oe.spdx30.software_File):
+ continue
+
+ if to.software_primaryPurpose != oe.spdx30.software_SoftwarePurpose.source:
+ continue
+
+ for v in to.verifiedUsing:
+ if v.algorithm == oe.spdx30.HashAlgorithm.sha256:
+ sources[v.hashValue] = to
+ break
+ else:
+ bb.fatal("No SHA256 found for %s in %s" % (to.name, objset.doc.name))
+
+ return sources
+
+def add_hashes(d, element, filepath):
+ import hashlib
+
+ algorithms = d.getVar("SPDX_HASH_ALGORITHMS").split()
+ algorithms.sort()
+
+ hashes = [hashlib.new(a) for a in algorithms]
+
+ with open(filepath, "rb") as f:
+ while True:
+ data = f.read(4096)
+ if not data:
+ break
+
+ for h in hashes:
+ h.update(data)
+
+ element.verifiedUsing.extend(
+ oe.spdx30.Hash(
+ algorithm=getattr(oe.spdx30.HashAlgorithm, h.name),
+ hashValue=h.hexdigest(),
+ ) for h in hashes
+ )
+
+
+def add_download_files(d, objset):
+ import oe.patch
+ import oe.spdx30
+ import os
+
+ inputs = set()
+
+ urls = d.getVar("SRC_URI").split()
+ fetch = bb.fetch2.Fetch(urls, d)
+
+ for download_idx, src_uri in enumerate(urls):
+ fd = fetch.ud[src_uri]
+
+ for name in fd.names:
+ file_name = os.path.basename(fetch.localpath(src_uri))
+ if oe.patch.patch_path(src_uri, fetch, '', expand=False):
+ primary_purpose = oe.spdx30.software_SoftwarePurpose.patch
+ else:
+ primary_purpose = oe.spdx30.software_SoftwarePurpose.source
+
+ if fd.type == "file":
+ file = objset.add(oe.spdx30.software_File(
+ _id=objset.new_spdxid("source", str(download_idx + 1)),
+ creationInfo=objset.doc.creationInfo,
+ name=file_name,
+ software_primaryPurpose=primary_purpose,
+ ))
+ add_hashes(d, file, fd.localpath)
+
+ inputs.add(file)
+ else:
+ uri = fd.type
+ proto = getattr(fd, "proto", None)
+ if proto is not None:
+ uri = uri + "+" + proto
+ uri = uri + "://" + fd.host + fd.path
+
+ if fd.method.supports_srcrev():
+ uri = uri + "@" + fd.revisions[name]
+
+ dl = objset.add(oe.spdx30.software_Package(
+ _id=objset.new_spdxid("source", str(download_idx + 1)),
+ creationInfo=objset.doc.creationInfo,
+ name=file_name,
+ software_primaryPurpose=primary_purpose,
+ software_downloadLocation=uri,
+ ))
+
+ if fd.method.supports_checksum(fd):
+ # TODO Need something better than hard coding this
+ for checksum_id in ["sha256", "sha1"]:
+ expected_checksum = getattr(fd, "%s_expected" % checksum_id, None)
+ if expected_checksum is None:
+ continue
+
+ dl.verifiedUsing.append(
+ oe.spdx30.Hash(
+ algorithm=getattr(oe.spdx30.HashAlgorithm, checksum_id),
+ hashValue=expected_checksum,
+ )
+ )
+
+ inputs.add(dl)
+
+ return inputs
+
+
+def collect_build_package_inputs(d, objset, build, packages):
+ providers = collect_package_providers(d)
+
+ build_deps = set()
+
+ for name in sorted(packages.keys()):
+ if name not in providers:
+ bb.fatal("Unable to find SPDX provider for '%s'" % name)
+
+ pkg_name, pkg_hashfn = providers[name]
+
+ # Copy all of the package SPDX files into the Sbom elements
+ pkg_spdx, _ = oe.sbom30.find_root_obj_in_jsonld(
+ d,
+ "packages",
+ pkg_name,
+ oe.spdx30.software_Package,
+ software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.install,
+ )
+ build_deps.add(pkg_spdx._id)
+
+ objset.new_scoped_relationship(
+ [build],
+ oe.spdx30.RelationshipType.hasInputs,
+ oe.spdx30.LifecycleScopeType.build,
+ sorted(list(build_deps)),
+ )
+
+def set_purposes(d, element, *var_names, force_purposes=[]):
+ purposes = force_purposes[:]
+
+ for var_name in var_names:
+ val = d.getVar(var_name)
+ if val:
+ purposes.extend(val.split())
+ break
+
+ if not purposes:
+ bb.warn("No SPDX purposes found in %s" % " ".join(var_names))
+ return
+
+ element.software_primaryPurpose = getattr(oe.spdx30.software_SoftwarePurpose, purposes[0])
+ element.software_additionalPurpose = [getattr(oe.spdx30.software_SoftwarePurpose, p) for p in purposes[1:]]
+
+
+python do_create_spdx() {
+ import oe.sbom30
+ import oe.spdx30
+ from pathlib import Path
+ from contextlib import contextmanager
+ import oe.cve_check
+ from datetime import datetime
+
+
+ def set_var_field(var, obj, name, package=None):
+ val = None
+ if package:
+ val = d.getVar("%s:%s" % (var, package))
+
+ if not val:
+ val = d.getVar(var)
+
+ if val:
+ setattr(obj, name, val)
+
+ deploydir = Path(d.getVar("SPDXDEPLOY"))
+ deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+ spdx_workdir = Path(d.getVar("SPDXWORK"))
+ include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
+ pkg_arch = d.getVar("SSTATE_PKGARCH")
+ is_native = bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d)
+
+ build_objset = oe.sbom30.ObjectSet.new_objset(d, d.getVar("PN"))
+
+ build = build_objset.new_sub_build("recipe", "recipe")
+ build_objset.doc.rootElement.append(build)
+
+ build_objset.set_is_native(is_native)
+
+ for var in (d.getVar('SPDX_CUSTOM_ANNOTATION_VARS') or "").split():
+ new_annotation(
+ d,
+ build_objset,
+ build,
+ "%s=%s" % (var, d.getVar(var)),
+ oe.spdx30.AnnotationType.other
+ )
+
+ build_inputs = set()
+
+ # Add CVEs
+ cve_by_status = {}
+ cve_by_status["Patched"] = {cve: build_objset.new_cve_vuln(cve) for cve in oe.cve_check.get_patched_cves(d)}
+
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ status, _, _ = oe.cve_check.decode_cve_status(d, cve)
+ # Already added above
+ if status == "Patched":
+ continue
+
+ cve_by_status.setdefault(status, {})[cve] = build_objset.new_cve_vuln(cve)
+
+ cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
+
+ source_files = add_download_files(d, build_objset)
+ build_inputs |= source_files
+
+ recipe_spdx_license = add_license_expression(d, build_objset, d.getVar("LICENSE"))
+ build_objset.new_relationship(
+ source_files,
+ oe.spdx30.RelationshipType.hasConcludedLicense,
+ [recipe_spdx_license],
+ )
+
+ if process_sources(d) and include_sources:
+ bb.debug(1, "Adding source files to SPDX")
+ spdx_get_src(d)
+
+ build_inputs |= add_package_files(
+ d,
+ build_objset,
+ spdx_workdir,
+ lambda file_counter: build_objset.new_spdxid("sourcefile", str(file_counter)),
+ lambda filepath: [oe.spdx30.software_SoftwarePurpose.source],
+ ignore_dirs=[".git"],
+ ignore_top_level_dirs=["temp"],
+ archive=None,
+ )
+
+ dep_objsets, dep_builds = collect_dep_objsets(d, build)
+ build_objset.new_scoped_relationship(
+ [build],
+ oe.spdx30.RelationshipType.dependsOn,
+ oe.spdx30.LifecycleScopeType.build,
+ sorted(oe.sbom30.get_element_link_id(b) for b in dep_builds),
+ )
+
+ debug_source_ids = set()
+ source_hash_cache = {}
+
+ # Write out the package SPDX data now. It is not complete as we cannot
+ # write the runtime data, so write it to a staging area and a later task
+ # will write out the final collection
+
+ # TODO: Handle native recipe output
+ if not is_native:
+ bb.debug(1, "Collecting Dependency sources files")
+ sources = collect_dep_sources(dep_objsets)
+
+ bb.build.exec_func("read_subpackage_metadata", d)
+
+ pkgdest = Path(d.getVar("PKGDEST"))
+ for package in d.getVar("PACKAGES").split():
+ if not oe.packagedata.packaged(package, d):
+ continue
+
+ pkg_name = d.getVar("PKG:%s" % package) or package
+
+ bb.debug(1, "Creating SPDX for package %s" % pkg_name)
+
+ pkg_objset = oe.sbom30.ObjectSet.new_objset(d, pkg_name)
+
+ spdx_package = pkg_objset.add_root(oe.spdx30.software_Package(
+ _id=pkg_objset.new_spdxid("package", pkg_name),
+ creationInfo=pkg_objset.doc.creationInfo,
+ name=pkg_name,
+ software_packageVersion=d.getVar("PV"),
+ builtTime=oe.sbom30.spdx_now(),
+ ))
+
+ set_purposes(
+ d,
+ spdx_package,
+ "SPDX_PACKAGE_ADDITIONAL_PURPOSE:%s" % package,
+ "SPDX_PACKAGE_ADDITIONAL_PURPOSE",
+ force_purposes=["install"],
+ )
+
+
+ supplier = build_objset.new_agent("SPDX_SUPPLIER")
+ if supplier is not None:
+ spdx_package.supplier = supplier if isinstance(supplier, str) else supplier._id
+
+ set_var_field("HOMEPAGE", spdx_package, "software_homePage", package=package)
+ set_var_field("SUMMARY", spdx_package, "summary", package=package)
+ set_var_field("DESCRIPTION", spdx_package, "description", package=package)
+
+ pkg_objset.new_scoped_relationship(
+ [build._id],
+ oe.spdx30.RelationshipType.hasOutputs,
+ oe.spdx30.LifecycleScopeType.build,
+ [spdx_package],
+ )
+
+ if cpe_ids:
+ for cpe_id in cpe_ids:
+ spdx_package.externalIdentifier.append(
+ oe.spdx30.ExternalIdentifier(
+ externalIdentifierType=oe.spdx30.ExternalIdentifierType.cpe23,
+ identifier=cpe_id,
+ ))
+
+ # TODO: Generate a file for each actual IPK/DEB/RPM/TGZ file
+ # generated and link it to the package
+ #spdx_package_file = pkg_objset.add(oe.spdx30.software_File(
+ # _id=pkg_objset.new_spdxid("distribution", pkg_name),
+ # creationInfo=pkg_objset.doc.creationInfo,
+ # name=pkg_name,
+ # builtTime=oe.sbom30.spdx_now(),
+ # software_primaryPurpose=spdx_package.software_primaryPurpose,
+ # software_additionalPurpose=spdx_package.software_additionalPurpose,
+ #))
+
+ ## TODO add hashes
+ #pkg_objset.new_relationship(
+ # [spdx_package],
+ # oe.spdx30.RelationshipType.hasDistributionArtifact,
+ # [spdx_package_file],
+ #)
+
+ # NOTE: licenses live in the recipe collection and are referenced
+ # by ID in the package collection(s). This helps reduce duplication
+ # (since a lot of packages will have the same license), and also
+ # prevents duplicate license SPDX IDs in the packages
+ package_license = d.getVar("LICENSE:%s" % package)
+ if package_license and package_license != d.getVar("LICENSE"):
+ package_spdx_license = add_license_expression(d, build_objset, package_license)
+ else:
+ package_spdx_license = recipe_spdx_license
+
+ pkg_objset.new_relationship(
+ [spdx_package],
+ oe.spdx30.RelationshipType.hasConcludedLicense,
+ [package_spdx_license._id],
+ )
+
+ # NOTE: CVE Elements live in the recipe collection
+ for status, cves in cve_by_status.items():
+ pkg_objset.new_relationship(
+ [spdx_package],
+ oe.spdx30.RelationshipType.hasAssociatedVulnerability,
+ sorted(spdx_cve._id for _, spdx_cve in cves.items()),
+ )
+
+ for cve, spdx_cve in cves.items():
+ if status == "Patched":
+ pkg_objset.new_vex_patched_relationship(spdx_cve._id, [spdx_package])
+ elif status == "Unpatched":
+ pkg_objset.new_vex_unpatched_relationship(spdx_cve._id, [spdx_package])
+ elif status == "Ignored":
+ pkg_objset.new_vex_ignored_relationship(
+ spdx_cve._id,
+ [spdx_package],
+ impact_statement=d.getVarFlag("CVE_STATUS", cve).split(":", 1)[1],
+ )
+ else:
+ bb.fatal(f"Unknown CVE status {status}")
+
+ bb.debug(1, "Adding package files to SPDX for package %s" % pkg_name)
+ package_files = add_package_files(
+ d,
+ pkg_objset,
+ pkgdest / package,
+ lambda file_counter: pkg_objset.new_spdxid("package", pkg_name, "file", str(file_counter)),
+ # TODO: Can we know the purpose here?
+ lambda filepath: [],
+ ignore_top_level_dirs=['CONTROL', 'DEBIAN'],
+ archive=None,
+ )
+
+ pkg_objset.new_relationship(
+ [spdx_package],
+ oe.spdx30.RelationshipType.contains,
+ sorted(list(package_files)),
+ )
+
+ debug_sources = get_package_sources_from_debug(d, package, package_files, sources, source_hash_cache)
+ debug_source_ids |= set(oe.sbom30.get_element_link_id(d) for d in debug_sources)
+
+ oe.sbom30.write_recipe_jsonld_doc(d, pkg_objset, "packages-staging", deploydir, create_spdx_id_links=False)
+
+ if include_sources:
+ bb.debug(1, "Adding sysroot files to SPDX")
+ sysroot_files = add_package_files(
+ d,
+ build_objset,
+ d.expand("${COMPONENTS_DIR}/${PACKAGE_ARCH}/${PN}"),
+ lambda file_counter: build_objset.new_spdxid("sysroot", str(file_counter)),
+ lambda filepath: [],
+ archive=None,
+ )
+
+ if sysroot_files:
+ build_objset.new_scoped_relationship(
+ [build],
+ oe.spdx30.RelationshipType.hasOutputs,
+ oe.spdx30.LifecycleScopeType.build,
+ sorted(list(sysroot_files)),
+ )
+
+ build_objset.new_scoped_relationship(
+ [build],
+ oe.spdx30.RelationshipType.hasInputs,
+ oe.spdx30.LifecycleScopeType.build,
+ sorted(list(build_inputs)) + sorted(list(debug_source_ids)),
+ )
+
+ oe.sbom30.write_recipe_jsonld_doc(d, build_objset, "recipes", deploydir)
+}
+do_create_spdx[vardepsexclude] += "BB_NUMBER_THREADS"
+# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
+addtask do_create_spdx after do_populate_sysroot do_package do_packagedata do_unpack do_collect_spdx_deps do_package_write_ipk do_pacakge_write_deb do_package_write_rpm before do_populate_sdk do_build do_rm_work
+
+SSTATETASKS += "do_create_spdx"
+do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
+do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+
+python do_create_spdx_setscene () {
+ sstate_setscene(d)
+}
+addtask do_create_spdx_setscene
+
+do_create_spdx[dirs] = "${SPDXWORK}"
+do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
+do_create_spdx[depends] += "${PATCHDEPENDENCY}"
+
+python do_create_package_spdx() {
+ import oe.sbom30
+ import oe.spdx30
+ import oe.packagedata
+ from pathlib import Path
+
+ deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+ deploydir = Path(d.getVar("SPDXRUNTIMEDEPLOY"))
+ is_native = bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d)
+
+ providers = collect_package_providers(d)
+ pkg_arch = d.getVar("SSTATE_PKGARCH")
+
+ if not is_native:
+ bb.build.exec_func("read_subpackage_metadata", d)
+
+ dep_package_cache = {}
+
+ # Any element common to all packages that need to be referenced by ID
+ # should be written into this objset set
+ common_objset = oe.sbom30.ObjectSet.new_objset(d, "%s-package-common" % d.getVar("PN"))
+
+ pkgdest = Path(d.getVar("PKGDEST"))
+ for package in d.getVar("PACKAGES").split():
+ bb.debug(1, "Processing package %s" % package)
+ localdata = bb.data.createCopy(d)
+ pkg_name = d.getVar("PKG:%s" % package) or package
+ localdata.setVar("PKG", pkg_name)
+ localdata.setVar('OVERRIDES', d.getVar("OVERRIDES", False) + ":" + package)
+
+ if not oe.packagedata.packaged(package, localdata):
+ continue
+
+ spdx_package, pkg_objset = oe.sbom30.load_obj_in_jsonld(
+ d,
+ pkg_arch,
+ "packages-staging",
+ pkg_name,
+ oe.spdx30.software_Package,
+ software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.install,
+ )
+
+ # We will write out a new collection, so link it to the new
+ # creation info in the common package data. The old creation info
+ # should still exist and be referenced by all the existing elements
+ # in the package
+ pkg_objset.creationInfo = pkg_objset.copy_creation_info(common_objset.doc.creationInfo)
+
+ runtime_spdx_deps = set()
+
+ deps = bb.utils.explode_dep_versions2(localdata.getVar("RDEPENDS") or "")
+ seen_deps = set()
+ for dep, _ in deps.items():
+ if dep in seen_deps:
+ continue
+
+ if dep not in providers:
+ continue
+
+ (dep, _) = providers[dep]
+
+ if not oe.packagedata.packaged(dep, localdata):
+ continue
+
+ dep_pkg_data = oe.packagedata.read_subpkgdata_dict(dep, d)
+ dep_pkg = dep_pkg_data["PKG"]
+
+ if dep in dep_package_cache:
+ dep_spdx_package = dep_package_cache[dep]
+ else:
+ bb.debug(1, "Searching for %s" % dep_pkg)
+ dep_spdx_package, _ = oe.sbom30.find_root_obj_in_jsonld(
+ d,
+ "packages-staging",
+ dep_pkg,
+ oe.spdx30.software_Package,
+ software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.install,
+ )
+ dep_package_cache[dep] = dep_spdx_package
+
+ runtime_spdx_deps.add(dep_spdx_package)
+ seen_deps.add(dep)
+
+ pkg_objset.new_scoped_relationship(
+ [spdx_package],
+ oe.spdx30.RelationshipType.dependsOn,
+ oe.spdx30.LifecycleScopeType.runtime,
+ [oe.sbom30.get_element_link_id(dep) for dep in runtime_spdx_deps],
+ )
+
+ oe.sbom30.write_recipe_jsonld_doc(d, pkg_objset, "packages", deploydir)
+
+ oe.sbom30.write_recipe_jsonld_doc(d, common_objset, "common-package", deploydir)
+}
+
+do_create_package_spdx[vardepsexclude] += "OVERRIDES SSTATE_ARCHS"
+
+addtask do_create_package_spdx after do_create_spdx before do_build do_rm_work
+SSTATETASKS += "do_create_package_spdx"
+do_create_package_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+
+python do_create_package_spdx_setscene () {
+ sstate_setscene(d)
+}
+addtask do_create_package_spdx_setscene
+
+do_create_package_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[rdeptask] = "do_create_spdx"
+
+python do_create_rootfs_spdx() {
+ import json
+ from pathlib import Path
+ import oe.spdx30
+ import oe.sbom30
+ from datetime import datetime
+
+ deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+ deploydir = Path(d.getVar("SPDXROOTFSDEPLOY"))
+ root_packages_file = Path(d.getVar("SPDX_ROOTFS_PACKAGES"))
+ image_basename = d.getVar("IMAGE_BASENAME")
+ machine = d.getVar("MACHINE")
+
+ with root_packages_file.open("r") as f:
+ packages = json.load(f)
+
+ objset = oe.sbom30.ObjectSet.new_objset(d, "%s-%s" % (image_basename, machine))
+
+ rootfs = objset.add_root(oe.spdx30.software_SoftwareArtifact(
+ _id=objset.new_spdxid("rootfs", image_basename),
+ creationInfo=objset.doc.creationInfo,
+ name=image_basename,
+ software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.archive,
+ builtTime=oe.sbom30.spdx_now()
+ ))
+
+ rootfs_build = objset.add_root(objset.new_sub_build("rootfs", "rootfs"))
+ rootfs_build.build_buildEndTime = oe.sbom30.spdx_now()
+
+ objset.new_scoped_relationship(
+ [rootfs_build],
+ oe.spdx30.RelationshipType.hasOutputs,
+ oe.spdx30.LifecycleScopeType.build,
+ [rootfs],
+ )
+
+ collect_build_package_inputs(d, objset, rootfs_build, packages)
+
+ oe.sbom30.write_recipe_jsonld_doc(d, objset, "rootfs", deploydir)
+}
+addtask do_create_rootfs_spdx after do_rootfs before do_image
+SSTATETASKS += "do_create_rootfs_spdx"
+do_create_rootfs_spdx[sstate-inputdirs] = "${SPDXROOTFSDEPLOY}"
+do_create_rootfs_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+do_create_rootfs_spdx[recrdeptask] += "do_create_spdx do_create_package_spdx"
+do_create_rootfs_spdx[cleandirs] += "${SPDXROOTFSDEPLOY}"
+
+python do_create_rootfs_spdx_setscene() {
+ sstate_setscene(d)
+}
+addtask do_create_rootfs_spdx_setscene
+
+python do_create_image_spdx() {
+ import oe.spdx30
+ import oe.sbom30
+ import json
+ from pathlib import Path
+
+ image_deploy_dir = Path(d.getVar('IMGDEPLOYDIR'))
+ manifest_path = Path(d.getVar("IMAGE_FILE_MANIFEST"))
+ spdx_work_dir = Path(d.getVar('SPDXIMAGEWORK'))
+
+ image_basename = d.getVar('IMAGE_BASENAME')
+ machine = d.getVar("MACHINE")
+
+ objset = oe.sbom30.ObjectSet.new_objset(d, "%s-%s" % (image_basename, machine))
+
+ with manifest_path.open("r") as f:
+ manifest = json.load(f)
+
+ builds = []
+ for task in manifest:
+ imagetype = task["imagetype"]
+ taskname = task["taskname"]
+
+ image_build = objset.add_root(objset.new_sub_build(taskname, "image/%s" % imagetype))
+ image_build.build_buildEndTime = oe.sbom30.spdx_now()
+ builds.append(image_build)
+
+ artifacts = []
+
+ for image in task["images"]:
+ image_filename = image["filename"]
+ image_path = image_deploy_dir / image_filename
+ a = objset.add_root(oe.spdx30.software_File(
+ _id=objset.new_spdxid("image", image_filename),
+ creationInfo=objset.doc.creationInfo,
+ name=image_filename,
+ builtTime=oe.sbom30.spdx_now()
+ ))
+ set_purposes(d, a, "SPDX_IMAGE_PURPOSE:%s" % imagetype, "SPDX_IMAGE_PURPOSE")
+ add_hashes(d, a, image_path)
+
+ artifacts.append(a)
+
+ if artifacts:
+ objset.new_scoped_relationship(
+ [image_build],
+ oe.spdx30.RelationshipType.hasOutputs,
+ oe.spdx30.LifecycleScopeType.build,
+ artifacts,
+ )
+
+ if builds:
+ rootfs_image, _ = oe.sbom30.find_root_obj_in_jsonld(
+ d,
+ "rootfs",
+ "%s-%s" % (image_basename, machine),
+ oe.spdx30.software_SoftwareArtifact,
+ # TODO: Should use a purpose to filter here?
+ )
+ objset.new_scoped_relationship(
+ builds,
+ oe.spdx30.RelationshipType.hasInputs,
+ oe.spdx30.LifecycleScopeType.build,
+ [rootfs_image._id],
+ )
+
+ objset.add_aliases()
+ objset.link()
+ oe.sbom30.write_recipe_jsonld_doc(d, objset, "image", spdx_work_dir)
+}
+addtask do_create_image_spdx after do_image_complete do_create_rootfs_spdx before do_build
+SSTATETASKS += "do_create_image_spdx"
+SSTATE_SKIP_CREATION:task-combine-image-type-spdx = "1"
+do_create_image_spdx[sstate-inputdirs] = "${SPDXIMAGEWORK}"
+do_create_image_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+do_create_image_spdx[cleandirs] = "${SPDXIMAGEWORK}"
+do_create_image_spdx[dirs] = "${SPDXIMAGEWORK}"
+
+python do_create_image_spdx_setscene() {
+ sstate_setscene(d)
+}
+addtask do_create_image_spdx_setscene
+
+
+python do_create_image_sbom() {
+ import os
+ from pathlib import Path
+ import oe.spdx30
+ import oe.sbom30
+
+ image_name = d.getVar("IMAGE_NAME")
+ image_basename = d.getVar("IMAGE_BASENAME")
+ image_link_name = d.getVar("IMAGE_LINK_NAME")
+ imgdeploydir = Path(d.getVar("SPDXIMAGEDEPLOYDIR"))
+ machine = d.getVar("MACHINE")
+
+ spdx_path = imgdeploydir / (image_name + ".spdx.json")
+
+ root_elements = []
+
+ # TODO: Do we need to add the rootfs or are the image files sufficient?
+ rootfs_image, _ = oe.sbom30.find_root_obj_in_jsonld(
+ d,
+ "rootfs",
+ "%s-%s" % (image_basename, machine),
+ oe.spdx30.software_SoftwareArtifact,
+ # TODO: Should use a purpose here?
+ )
+ root_elements.append(rootfs_image._id)
+
+ image_objset, _ = oe.sbom30.find_jsonld(d, "image", "%s-%s" % (image_basename, machine), required=True)
+ for o in image_objset.foreach_root(oe.spdx30.software_File):
+ root_elements.append(o._id)
+
+ objset, sbom = oe.sbom30.create_sbom(d, image_name, root_elements)
+
+ oe.sbom30.write_jsonld_doc(d, objset, spdx_path)
+
+ def make_image_link(target_path, suffix):
+ if image_link_name:
+ link = imgdeploydir / (image_link_name + suffix)
+ if link != target_path:
+ link.symlink_to(os.path.relpath(target_path, link.parent))
+
+ make_image_link(spdx_path, ".spdx.json")
+}
+addtask do_create_image_sbom after do_create_rootfs_spdx do_create_image_spdx before do_build
+SSTATETASKS += "do_create_image_sbom"
+SSTATE_SKIP_CREATION:task-create-image-sbom = "1"
+do_create_image_sbom[sstate-inputdirs] = "${SPDXIMAGEDEPLOYDIR}"
+do_create_image_sbom[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_create_image_sbom[stamp-extra-info] = "${MACHINE_ARCH}"
+do_create_image_sbom[cleandirs] = "${SPDXIMAGEDEPLOYDIR}"
+
+python do_create_image_sbom_setscene() {
+ sstate_setscene(d)
+}
+addtask do_create_image_sbom_setscene
+
+do_populate_sdk[recrdeptask] += "do_create_spdx do_create_package_spdx"
+do_populate_sdk[cleandirs] += "${SPDXSDKWORK}"
+do_populate_sdk[postfuncs] += "sdk_create_sbom"
+POPULATE_SDK_POST_HOST_COMMAND:append:task-populate-sdk = " sdk_host_create_spdx"
+POPULATE_SDK_POST_TARGET_COMMAND:append:task-populate-sdk = " sdk_target_create_spdx"
+
+python sdk_host_create_spdx() {
+ sdk_create_spdx(d, "host")
+}
+
+python sdk_target_create_spdx() {
+ sdk_create_spdx(d, "target")
+}
+
+def sdk_create_spdx(d, sdk_type):
+ from pathlib import Path
+ from oe.sdk import sdk_list_installed_packages
+ import oe.spdx30
+ import oe.sbom30
+ from datetime import datetime
+
+ sdk_name = d.getVar("TOOLCHAIN_OUTPUTNAME") + "-" + sdk_type
+ sdk_packages = sdk_list_installed_packages(d, sdk_type == "target")
+ spdx_work_dir = Path(d.getVar('SPDXSDKWORK'))
+
+ objset = oe.sbom30.ObjectSet.new_objset(d, sdk_name)
+
+ sdk_rootfs = objset.add_root(oe.spdx30.software_SoftwareArtifact(
+ _id=objset.new_spdxid("sdk-rootfs", sdk_name),
+ creationInfo=objset.doc.creationInfo,
+ name=sdk_name,
+ softwre_primaryPurpose=oe.spdx30.software_SoftwarePurpose.archive,
+ builtTime=oe.sbom30.spdx_now(),
+ ))
+
+ sdk_build = objset.add_root(objset.new_sub_build("sdk-rootfs", "sdk-rootfs"))
+ sdk_build.build_buildEndTime = oe.sbom30.spdx_now()
+
+ objset.new_scoped_relationship(
+ [sdk_build],
+ oe.spdx30.RelationshipType.hasOutputs,
+ oe.spdx30.LifecycleScopeType.build,
+ [sdk_rootfs],
+ )
+
+ collect_build_package_inputs(d, objset, sdk_build, sdk_packages)
+
+ objset.add_aliases()
+ oe.sbom30.write_jsonld_doc(d, objset, spdx_work_dir / "sdk-rootfs.spdx.json")
+
+python sdk_create_sbom() {
+ import oe.spdx30
+ import oe.sbom30
+ from pathlib import Path
+ from datetime import datetime
+
+ toolchain_outputname = d.getVar("TOOLCHAIN_OUTPUTNAME")
+ sdk_filename = toolchain_outputname + ".sh"
+ sdk_deploydir = Path(d.getVar("SDKDEPLOYDIR"))
+ spdx_work_dir = Path(d.getVar('SPDXSDKWORK'))
+
+ # Load the document written earlier
+ rootfs_objset = oe.sbom30.load_jsonld(d, spdx_work_dir / "sdk-rootfs.spdx.json", required=True)
+
+ # Create a new build for the SDK installer
+ sdk_build = rootfs_objset.new_sub_build("sdk-populate", "sdk-populate")
+ sdk_build.buildEndTime = oe.sbom30.spdx_now()
+
+ rootfs = rootfs_objset.find_root(oe.spdx30.software_SoftwareArtifact)
+ if rootfs is None:
+ bb.fatal("Unable to find rootfs artifact")
+
+ rootfs_objset.new_scoped_relationship(
+ [sdk_build],
+ oe.spdx30.RelationshipType.hasInputs,
+ oe.spdx30.LifecycleScopeType.build,
+ [rootfs]
+ )
+
+ # Create a file for the SDK installer
+ sdk_installer = objset.add(oe.spdx30.software_File(
+ _id=objset.new_spdxid("sdk-installer", toolchain_outputname),
+ creationInfo=rootfs_objset.doc.creationInfo,
+ name=sdk_filename,
+ builtTime=oe.sbom30.spdx_now(),
+ ))
+ set_purposes(d, sdk_installer, "SPDX_SDK_PURPOSE")
+ add_hashes(d, sdk_installer, sdk_deploydir / sdk_filename)
+
+ rootfs_objset.new_scoped_relationship(
+ [sdk_build],
+ oe.spdx30.RelationshipType.hasOutputs,
+ oe.spdx30.LifecycleScopeType.build,
+ [sdk_installer],
+ )
+
+ objset, sbom = oe.sbom30.create_sbom(d, sdk_filename, [sdk_installer], [rootfs_objset])
+
+ oe.sbom30.write_jsonld_doc(d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json"))
+}
+
+python spdx30_build_started_handler () {
+ import oe.spdx30
+ import oe.sbom30
+ import os
+ from pathlib import Path
+
+ # Create a copy of the datastore. Set PN to "bitbake" so that SPDX IDs can
+ # be generated
+ d = e.data.createCopy()
+ d.setVar("PN", "bitbake")
+ d.setVar("BB_TASKHASH", "bitbake")
+ load_spdx_license_data(d)
+
+ deploy_dir_spdx = Path(e.data.getVar("DEPLOY_DIR_SPDX"))
+
+ nonce = os.urandom(16).hex()
+
+ objset = oe.sbom30.ObjectSet.new_objset(d, "bitbake", False)
+
+ build = objset.add_root(oe.spdx30.build_Build(
+ _id=objset.new_spdxid(nonce, include_unihash=False),
+ creationInfo=objset.doc.creationInfo,
+ build_buildType=oe.sbom30.SPDX_BUILD_TYPE,
+ build_buildStartTime=oe.sbom30.spdx_now()
+ ))
+
+ host_import_key = d.getVar("SPDX_BUILD_HOST")
+ if host_import_key:
+ objset.new_scoped_relationship(
+ [build],
+ oe.spdx30.RelationshipType.hasHost,
+ oe.spdx30.LifecycleScopeType.build,
+ [objset.new_import("SPDX_BUILD_HOST")],
+ )
+
+ invoked_by = objset.new_agent("SPDX_INVOKED_BY")
+ if invoked_by:
+ invoked_by_spdx = objset.new_scoped_relationship(
+ [build],
+ oe.spdx30.RelationshipType.invokedBy,
+ oe.spdx30.LifecycleScopeType.build,
+ [invoked_by],
+ )
+
+ on_behalf_of = objset.new_agent("SPDX_ON_BEHALF_OF")
+ if on_behalf_of:
+ objset.new_scoped_relationship(
+ [on_behalf_of],
+ oe.spdx30.RelationshipType.delegatedTo,
+ oe.spdx30.LifecycleScopeType.build,
+ invoked_by_spdx,
+ )
+
+ for obj in objset.foreach_type(oe.spdx30.Element):
+ obj.extension.append(oe.sbom30.OELinkExtension(link_spdx_id=False))
+ obj.extension.append(oe.sbom30.OEIdAliasExtension())
+
+ oe.sbom30.write_jsonld_doc(d, objset, deploy_dir_spdx / "bitbake.spdx.json")
+}
+
+addhandler spdx30_build_started_handler
+spdx30_build_started_handler[eventmask] = "bb.event.ConfigParsed"
+
@@ -16,13 +16,17 @@ SPDXDIR ??= "${WORKDIR}/spdx/${SPDX_VERSION}"
SPDXDEPLOY = "${SPDXDIR}/deploy"
SPDXWORK = "${SPDXDIR}/work"
SPDXIMAGEWORK = "${SPDXDIR}/image-work"
+SPDXROOTFSWORK = "${SPDXDIR}/rootfs-work"
SPDXSDKWORK = "${SPDXDIR}/sdk-work"
SPDXDEPS = "${SPDXDIR}/deps.json"
+SPDXIMAGEDEPLOYDIR = "${SPDXDIR}/image-deploy"
+SPDX_ROOTFS_PACKAGES = "${SPDXDIR}/rootfs-packages.json"
SPDX_TOOL_NAME ??= "oe-spdx-creator"
SPDX_TOOL_VERSION ??= "1.0"
SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
+SPDXROOTFSDEPLOY = "${SPDXDIR}/rootfs-deploy"
SPDX_INCLUDE_SOURCES ??= "0"
SPDX_ARCHIVE_SOURCES ??= "0"
@@ -68,7 +72,7 @@ def get_json_indent(d):
return 2
return None
-python() {
+def load_spdx_license_data(d):
import json
if d.getVar("SPDX_LICENSE_DATA"):
return
@@ -78,6 +82,9 @@ python() {
# Transform the license array to a dictionary
data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
d.setVar("SPDX_LICENSE_DATA", data)
+
+python() {
+ load_spdx_license_data(d)
}
def process_sources(d):
@@ -255,3 +262,19 @@ def spdx_get_src(d):
spdx_get_src[vardepsexclude] += "STAGING_KERNEL_DIR"
+
+python spdx_collect_rootfs_packages() {
+ import json
+ from pathlib import Path
+ from oe.rootfs import image_list_installed_packages
+
+ root_packages_file = Path(d.getVar("SPDX_ROOTFS_PACKAGES"))
+
+ packages = image_list_installed_packages(d)
+
+ root_packages_file.parent.mkdir(parents=True, exist_ok=True)
+ with root_packages_file.open("w") as f:
+ json.dump(packages, f)
+}
+ROOTFS_POSTUNINSTALL_COMMAND =+ "spdx_collect_rootfs_packages"
+
new file mode 100644
@@ -0,0 +1,993 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+from pathlib import Path
+
+import oe.spdx30
+import bb
+import re
+import hashlib
+import uuid
+from datetime import datetime, timezone
+
+OE_SPDX_BASE = "https://rdf.openembedded.org/spdx/3.0/"
+
+VEX_VERSION = "1.0.0"
+
+SPDX_BUILD_TYPE = "http://openembedded.org/bitbake"
+
+
+@oe.spdx30.register(OE_SPDX_BASE + "link-extension")
+class OELinkExtension(oe.spdx30.extension_Extension):
+ """
+ This custom extension controls if an Element creates a symlink based on
+ its SPDX ID in the deploy directory. Some elements may not be able to be
+ linked because they are duplicated in multiple documents (e.g. the bitbake
+ Build Element). Those elements can add this extension and set link_spdx_id
+ to False
+
+ It is in internal extension that should be removed when writing out a final
+ SBoM
+ """
+
+ CLOSED = True
+ INTERNAL = True
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ cls._add_property(
+ "link_spdx_id",
+ oe.spdx30.BooleanProp(),
+ OE_SPDX_BASE + "link-spdx-id",
+ min_count=1,
+ max_count=1,
+ )
+
+ # The symlinks written to the deploy directory are based on the hash of
+ # the SPDX ID. While this makes it easy to look them up, it can be
+ # difficult to trace a Element to the hashed symlink name. As a
+ # debugging aid, this property is set to the basename of the symlink
+ # when the symlink is created to make it easier to trace
+ cls._add_property(
+ "link_name",
+ oe.spdx30.StringProp(),
+ OE_SPDX_BASE + "link-name",
+ max_count=1,
+ )
+
+
+@oe.spdx30.register(OE_SPDX_BASE + "id-alias")
+class OEIdAliasExtension(oe.spdx30.extension_Extension):
+ """
+ This extension allows an Element to provide an internal alias for the SPDX
+ ID. Since SPDX requires unique URIs for each SPDX ID, most of the objects
+ created have a unique UUID namespace and the unihash of the task encoded in
+ their SPDX ID. However, this causes a problem for referencing documents
+ across recipes, since the taskhash of a dependency may not factor into the
+ taskhash of the current task and thus the current task won't rebuild and
+ see the new SPDX ID when the dependency changes (e.g. ABI safe recipes and
+ tasks).
+
+ To help work around this, this extension provides a non-unique alias for an
+ Element by which it can be referenced from other tasks/recipes. When a
+ final SBoM is created, references to these aliases will be replaced with
+ the actual unique SPDX ID.
+
+ Most Elements will automatically get an alias created when they are written
+ out if they do not already have one. To suppress the creation of an alias,
+ add an extension with a blank `alias` property.
+
+
+ It is in internal extension that should be removed when writing out a final
+ SBoM
+ """
+
+ CLOSED = True
+ INTERNAL = True
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ cls._add_property(
+ "alias",
+ oe.spdx30.StringProp(),
+ OE_SPDX_BASE + "alias",
+ max_count=1,
+ )
+
+ cls._add_property(
+ "link_name",
+ oe.spdx30.StringProp(),
+ OE_SPDX_BASE + "link-name",
+ max_count=1,
+ )
+
+
+@oe.spdx30.register(OE_SPDX_BASE + "document-extension")
+class OEDocumentExtension(oe.spdx30.extension_Extension):
+ """
+ This extension is added to a SpdxDocument to indicate various useful bits
+ of information about its contents
+ """
+
+ CLOSED = True
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ cls._add_property(
+ "is_native",
+ oe.spdx30.BooleanProp(),
+ OE_SPDX_BASE + "is-native",
+ max_count=1,
+ )
+
+
+def spdxid_hash(*items):
+ h = hashlib.md5()
+ for i in items:
+ if isinstance(i, oe.spdx30.Element):
+ h.update(i._id.encode("utf-8"))
+ else:
+ h.update(i.encode("utf-8"))
+ return h.hexdigest()
+
+
+def spdx_now():
+ return datetime.now(timezone.utc)
+
+
+def get_element_link_id(e):
+ """
+ Get the string ID which should be used to link to an Element. If the
+ element has an alias, that will be preferred, otherwise its SPDX ID will be
+ used.
+ """
+ ext = get_alias(e)
+ if ext is not None and ext.alias:
+ return ext.alias
+ return e._id
+
+
+def set_alias(obj, alias):
+ for ext in obj.extension:
+ if not isinstance(ext, OEIdAliasExtension):
+ continue
+ ext.alias = alias
+ return ext
+
+ ext = OEIdAliasExtension(alias=alias)
+ obj.extension.append(ext)
+ return ext
+
+
+def get_alias(obj):
+ for ext in obj.extension:
+ if not isinstance(ext, OEIdAliasExtension):
+ continue
+ return ext
+
+ return None
+
+
+class ObjectSet(oe.spdx30.SHACLObjectSet):
+ def __init__(self, d):
+ super().__init__()
+ self.d = d
+
+ def add_index(self, obj):
+ # Check that all elements are given an ID before being inserted
+ if isinstance(obj, oe.spdx30.Element):
+ if not obj._id:
+ raise ValueError("Element missing ID")
+ for ext in obj.extension:
+ if not isinstance(ext, OEIdAliasExtension):
+ continue
+ if ext.alias:
+ self.obj_by_id[ext.alias] = obj
+
+ super().add_index(obj)
+ if isinstance(obj, oe.spdx30.SpdxDocument):
+ self.doc = obj
+
+ def __filter_obj(self, obj, attr_filter):
+ for k, v in attr_filter.items():
+ if getattr(obj, k) != v:
+ return False
+ return True
+
+ def foreach_filter(self, typ, *, match_subclass=True, **attr_filter):
+ for obj in self.foreach_type(typ, match_subclass=match_subclass):
+ if self.__filter_obj(obj, attr_filter):
+ yield obj
+
+ def find_filter(self, typ, *, match_subclass=True, **attr_filter):
+ for obj in self.foreach_filter(
+ typ, match_subclass=match_subclass, **attr_filter
+ ):
+ return obj
+ return None
+
+ def foreach_root(self, typ, **attr_filter):
+ for obj in self.doc.rootElement:
+ if not isinstance(obj, typ):
+ continue
+
+ if self.__filter_obj(obj, attr_filter):
+ yield obj
+
+ def find_root(self, typ, **attr_filter):
+ for obj in self.foreach_root(typ, **attr_filter):
+ return obj
+ return None
+
+ def add_root(self, obj):
+ self.add(obj)
+ self.doc.rootElement.append(obj)
+ return obj
+
+ def is_native(self):
+ for e in self.doc.extension:
+ if not isinstance(e, oe.sbom30.OEDocumentExtension):
+ continue
+
+ if e.is_native is not None:
+ return e.is_native
+
+ return False
+
+ def set_is_native(self, is_native):
+ for e in self.doc.extension:
+ if not isinstance(e, oe.sbom30.OEDocumentExtension):
+ continue
+
+ e.is_native = is_native
+ return
+
+ if is_native:
+ self.doc.extension.append(oe.sbom30.OEDocumentExtension(is_native=True))
+
+ def add_aliases(self):
+ for o in self.foreach_type(oe.spdx30.Element):
+ if not o._id or o._id.startswith("_:"):
+ continue
+
+ alias_ext = get_alias(o)
+ if alias_ext is None:
+ unihash = self.d.getVar("BB_UNIHASH")
+ namespace = self.get_namespace()
+ if unihash not in o._id:
+ bb.warn(f"Unihash {unihash} not found in {o._id}")
+ elif namespace not in o._id:
+ bb.warn(f"Namespace {namespace} not found in {o._id}")
+ else:
+ alias_ext = set_alias(
+ o,
+ o._id.replace(unihash, "UNIHASH").replace(
+ namespace, self.d.getVar("PN")
+ ),
+ )
+
+ def remove_internal_extensions(self):
+ def remove(o):
+ o.extension = [e for e in o.extension if not getattr(e, "INTERNAL", False)]
+
+ for o in self.foreach_type(oe.spdx30.Element):
+ remove(o)
+
+ if self.doc:
+ remove(self.doc)
+
+ def get_namespace(self):
+ namespace_uuid = uuid.uuid5(
+ uuid.NAMESPACE_DNS, self.d.getVar("SPDX_UUID_NAMESPACE")
+ )
+ pn = self.d.getVar("PN")
+ return "%s/%s-%s" % (
+ self.d.getVar("SPDX_NAMESPACE_PREFIX"),
+ pn,
+ str(uuid.uuid5(namespace_uuid, pn)),
+ )
+
+ def new_spdxid(self, *suffix, include_unihash=True):
+ items = [self.get_namespace()]
+ if include_unihash:
+ unihash = self.d.getVar("BB_UNIHASH")
+ items.append(unihash)
+ items.extend(re.sub(r"[^a-zA-Z0-9_-]", "_", s) for s in suffix)
+ return "/".join(items)
+
+ def new_import(self, key):
+ base = f"SPDX_IMPORTS_{key}"
+ spdxid = self.d.getVar(f"{base}_spdxid")
+ if not spdxid:
+ bb.fatal(f"{key} is not a valid SPDX_IMPORTS key")
+
+ for i in self.docs.imports:
+ if i.externalSpdxId == spdxid:
+ # Already imported
+ return spdxid
+
+ m = oe.spdx30.ExternalMap(externalSpdxId=spdxid)
+
+ uri = self.d.getVar(f"{base}_uri")
+ if uri:
+ m.locationHint = uri
+
+ for pyname, algorithm in oe.spdx30.HashAlgorithm.NAMED_INDIVIDUALS.items():
+ value = self.d.getVar(f"{base}_hash_{pyname}")
+ if value:
+ m.verifiedUsing.append(
+ oe.spdx30.Hash(
+ algorithm=algorithm,
+ hashValue=value,
+ )
+ )
+
+ self.doc.imports.append(m)
+ return spdxid
+
+ def new_agent(self, varname, *, creation_info=None):
+ ref_varname = self.d.getVar(f"{varname}_ref")
+ if ref_varname:
+ if ref_varname == varname:
+ bb.fatal(f"{varname} cannot reference itself")
+ return new_agent(varname, creation_info=creation_info)
+
+ import_key = self.d.getVar(f"{varname}_import")
+ if import_key:
+ return self.new_import(import_key)
+
+ name = self.d.getVar(f"{varname}_name")
+ if not name:
+ return None
+
+ spdxid = self.new_spdxid("agent", name)
+ agent = self.find_by_id(spdxid)
+ if agent is not None:
+ return agent
+
+ agent_type = self.d.getVar("%s_type" % varname)
+ if agent_type == "person":
+ agent = oe.spdx30.Person()
+ elif agent_type == "software":
+ agent = oe.spdx30.SoftwareAgent()
+ elif agent_type == "organization":
+ agent = oe.spdx30.Organization()
+ elif not agent_type or agent_type == "agent":
+ agent = oe.spdx30.Agent()
+ else:
+ bb.fatal("Unknown agent type '%s' in %s_type" % (agent_type, varname))
+
+ agent._id = spdxid
+ agent.creationInfo = creation_info or self.doc.creationInfo
+ agent.name = name
+
+ comment = self.d.getVar("%s_comment" % varname)
+ if comment:
+ agent.comment = comment
+
+ for (
+ pyname,
+ idtype,
+ ) in oe.spdx30.ExternalIdentifierType.NAMED_INDIVIDUALS.items():
+ value = self.d.getVar("%s_id_%s" % (varname, pyname))
+ if value:
+ agent.externalIdentifier.append(
+ oe.spdx30.ExternalIdentifier(
+ externalIdentifierType=idtype,
+ identifier=value,
+ )
+ )
+
+ return self.add(agent)
+
+ def new_creation_info(self):
+ creation_info = oe.spdx30.CreationInfo()
+
+ name = "%s %s" % (
+ self.d.getVar("SPDX_TOOL_NAME"),
+ self.d.getVar("SPDX_TOOL_VERSION"),
+ )
+ tool = self.add(
+ oe.spdx30.Tool(
+ _id=self.new_spdxid("tool", name),
+ creationInfo=creation_info,
+ name=name,
+ )
+ )
+
+ authors = []
+ for a in self.d.getVar("SPDX_AUTHORS").split():
+ varname = "SPDX_AUTHORS_%s" % a
+ author = self.new_agent(varname, creation_info=creation_info)
+
+ if not author:
+ bb.fatal("Unable to find or create author %s" % a)
+
+ authors.append(author)
+
+ creation_info.created = spdx_now()
+ creation_info.specVersion = self.d.getVar("SPDX_VERSION")
+ creation_info.createdBy = authors
+ creation_info.createdUsing = [tool]
+
+ return creation_info
+
+ def copy_creation_info(self, copy):
+ c = oe.spdx30.CreationInfo(
+ created=spdx_now(),
+ specVersion=self.d.getVar("SPDX_VERSION"),
+ )
+
+ for author in copy.createdBy:
+ if isinstance(author, str):
+ c.createdBy.append(author)
+ else:
+ c.createdBy.append(author._id)
+
+ for tool in copy.createdUsing:
+ if isinstance(tool, str):
+ c.createdUsing.append(tool)
+ else:
+ c.createdUsing.append(tool._id)
+
+ return c
+
+ def new_annotation(self, subject, comment, typ):
+ return self.add(
+ oe.spdx30.Annotation(
+ _id=self.new_spdxid("annotation", spdxid_hash(comment, typ)),
+ creationInfo=self.doc.creationInfo,
+ annotationType=typ,
+ subject=subject,
+ statement=comment,
+ )
+ )
+
+ def new_relationship(self, from_, typ, to):
+ if isinstance(from_, set):
+ from_ = sorted(list(from_))
+
+ if isinstance(to, set):
+ to = sorted(list(to))
+
+ if not isinstance(from_, (list, tuple)):
+ raise TypeError("From must be a list or tuple. Got %s" % type(from_))
+
+ if not to or not from_:
+ return
+
+ ret = []
+
+ for f in from_:
+ relationship = self.add(
+ oe.spdx30.Relationship(
+ _id=self.new_spdxid("relationship", spdxid_hash(typ, f, *to)),
+ creationInfo=self.doc.creationInfo,
+ from_=f,
+ relationshipType=typ,
+ to=to,
+ )
+ )
+ ret.append(relationship)
+
+ return ret
+
+ def new_scoped_relationship(self, from_, typ, scope, to):
+ if not isinstance(from_, (list, tuple)):
+ raise TypeError("From must be a list or tuple. Got %s" % type(from_))
+
+ if not to or not from_:
+ return []
+
+ ret = []
+
+ for f in from_:
+ relationship = self.add(
+ oe.spdx30.LifecycleScopedRelationship(
+ _id=self.new_spdxid(
+ "relationship", spdxid_hash(typ, scope, f, *to)
+ ),
+ creationInfo=self.doc.creationInfo,
+ from_=f,
+ relationshipType=typ,
+ scope=scope,
+ to=to,
+ )
+ )
+ ret.append(relationship)
+
+ return ret
+
+ def new_license_expression(self, license_expression, license_text_map={}):
+ license_list_version = self.d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+ # SPDX 3 requires that the license list version be a semver
+ # MAJOR.MINOR.MICRO, but the actual license version is only MAJOR.MINOR
+ # (as of this writing). As such, manually append a .0 micro version if
+ # its missing to keep SPDX happy
+ if license_list_version.count(".") < 3:
+ license_list_version += ".0"
+
+ spdxid = [
+ "license",
+ license_list_version,
+ re.sub(r"[^a-zA-Z0-9_-]", "_", license_expression),
+ ]
+
+ license_text = (
+ (k, license_text_map[k]) for k in sorted(license_text_map.keys())
+ )
+
+ if not license_text_map:
+ lic = self.find_filter(
+ oe.spdx30.simplelicensing_LicenseExpression,
+ simplelicensing_licenseExpression=license_expression,
+ simplelicensing_licenseListVersion=license_list_version,
+ )
+ if lic is not None:
+ return lic
+ else:
+ spdxid.append(spdxid_hash(*(v for _, v in license_text)))
+
+ lic = self.add(
+ oe.spdx30.simplelicensing_LicenseExpression(
+ _id=self.new_spdxid(*spdxid),
+ creationInfo=self.doc.creationInfo,
+ simplelicensing_licenseExpression=license_expression,
+ simplelicensing_licenseListVersion=license_list_version,
+ )
+ )
+
+ for key, value in license_text:
+ lic.simplelicensing_customIdToUri.append(
+ oe.spdx30.DictionaryEntry(key=key, value=value)
+ )
+
+ return lic
+
+ def new_cve_vuln(self, cve):
+ v = oe.spdx30.security_Vulnerability()
+ v._id = self.new_spdxid("vulnerability", cve)
+ v.creationInfo = self.doc.creationInfo
+
+ v.externalIdentifier.append(
+ oe.spdx30.ExternalIdentifier(
+ externalIdentifierType=oe.spdx30.ExternalIdentifierType.cve,
+ identifier=cve,
+ identifierLocator=[
+ f"https://cve.mitre.org/cgi-bin/cvename.cgi?name={cve}",
+ f"https://www.cve.org/CVERecord?id={cve}",
+ ],
+ )
+ )
+ return self.add(v)
+
+ def new_vex_patched_relationship(self, from_, to):
+ self.add(
+ oe.spdx30.security_VexFixedVulnAssessmentRelationship(
+ _id=self.new_spdxid("vex-fixed", spdxid_hash(from_, *to)),
+ creationInfo=self.doc.creationInfo,
+ from_=from_,
+ relationshipType=oe.spdx30.RelationshipType.fixedIn,
+ to=to,
+ security_vexVersion=VEX_VERSION,
+ )
+ )
+
+ def new_vex_unpatched_relationship(self, from_, to):
+ self.add(
+ oe.spdx30.security_VexAffectedVulnAssessmentRelationship(
+ _id=self.new_spdxid("vex-affected", spdxid_hash(from_, *to)),
+ creationInfo=self.doc.creationInfo,
+ from_=from_,
+ relationshipType=oe.spdx30.RelationshipType.affects,
+ to=to,
+ security_vexVersion=VEX_VERSION,
+ )
+ )
+
+ def new_vex_ignored_relationship(self, from_, to, *, impact_statement):
+ self.add(
+ oe.spdx30.security_VexNotAffectedVulnAssessmentRelationship(
+ _id=self.new_spdxid(
+ "vex-not-affected", spdxid_hash(impact_statement, from_, *to)
+ ),
+ creationInfo=self.doc.creationInfo,
+ from_=from_,
+ relationshipType=oe.spdx30.RelationshipType.doesNotAffect,
+ to=to,
+ security_vexVersion=VEX_VERSION,
+ security_impactStatement=impact_statement,
+ )
+ )
+
+ def import_bitbake_build(self):
+ def find_bitbake_build(objset):
+ return objset.find_filter(
+ oe.spdx30.build_Build,
+ build_buildType=SPDX_BUILD_TYPE,
+ )
+
+ build = find_bitbake_build(self)
+ if build:
+ return build
+
+ deploy_dir_spdx = Path(self.d.getVar("DEPLOY_DIR_SPDX"))
+ bb_objset = load_jsonld(
+ self.d, deploy_dir_spdx / "bitbake.spdx.json", required=True
+ )
+
+ build = find_bitbake_build(bb_objset)
+ if build is None:
+ bb.fatal(f"No build found in {deploy_dir_spdx}")
+
+ self.doc.imports.extend(bb_objset.doc.imports)
+ self.update(bb_objset.objects)
+
+ return build
+
+ def new_sub_build(self, name, typ):
+ build = self.add(
+ oe.spdx30.build_Build(
+ _id=self.new_spdxid("build", name),
+ creationInfo=self.doc.creationInfo,
+ name="%s-%s" % (self.d.getVar("PN"), name),
+ build_buildType="%s/%s" % (SPDX_BUILD_TYPE, typ),
+ )
+ )
+
+ bitbake_build = self.import_bitbake_build()
+
+ self.new_relationship(
+ [bitbake_build],
+ oe.spdx30.RelationshipType.ancestorOf,
+ [build],
+ )
+
+ if self.d.getVar("SPDX_INCLUDE_BUILD_VARIABLES") == "1":
+ for varname in sorted(self.d.keys()):
+ if varname.startswith("__"):
+ continue
+
+ value = self.d.getVar(varname, expand=False)
+
+ # TODO: Deal with non-string values
+ if not isinstance(value, str):
+ continue
+
+ build.parameters.append(
+ oe.spdx30.DictionaryEntry(key=varname, value=value)
+ )
+
+ return build
+
+ def new_archive(self, archive_name):
+ return self.add(
+ oe.spdx30.software_File(
+ _id=self.new_spdxid("archive", str(archive_name)),
+ creationInfo=self.doc.creationInfo,
+ name=str(archive_name),
+ software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.archive,
+ )
+ )
+
+ @classmethod
+ def new_objset(cls, d, name, copy_from_bitbake_doc=True):
+ objset = cls(d)
+
+ document = oe.spdx30.SpdxDocument(
+ _id=objset.new_spdxid("document", name),
+ name=name,
+ )
+ document.extension.append(OEIdAliasExtension())
+ document.extension.append(OELinkExtension(link_spdx_id=False))
+ objset.doc = document
+
+ if copy_from_bitbake_doc:
+ build = objset.import_bitbake_build()
+ document.creationInfo = objset.copy_creation_info(build.creationInfo)
+ else:
+ document.creationInfo = objset.new_creation_info()
+
+ return objset
+
+ def expand_collection(self, *, add_objectsets=[]):
+ """
+ Expands a collection to pull in all missing elements
+
+ Returns the set of ids that could not be found to link into the document
+ """
+ missing_spdxids = set()
+ imports = {e.externalSpdxId: e for e in self.doc.imports}
+
+ def merge_doc(other):
+ nonlocal imports
+
+ for e in other.doc.imports:
+ if not e.externalSpdxId in imports:
+ imports[e.externalSpdxId] = e
+
+ self.objects |= other.objects
+
+ for o in add_objectsets:
+ merge_doc(o)
+
+ needed_spdxids = self.link()
+ provided_spdxids = set(self.obj_by_id.keys())
+
+ while True:
+ import_spdxids = set(imports.keys())
+ searching_spdxids = (
+ needed_spdxids - provided_spdxids - missing_spdxids - import_spdxids
+ )
+ if not searching_spdxids:
+ break
+
+ spdxid = searching_spdxids.pop()
+ bb.debug(
+ 1,
+ f"Searching for {spdxid}. Remaining: {len(searching_spdxids)}, Total: {len(provided_spdxids)}, Missing: {len(missing_spdxids)}, Imports: {len(import_spdxids)}",
+ )
+ dep_objset, dep_path = find_by_spdxid(self.d, spdxid)
+
+ if dep_objset:
+ dep_provided = set(dep_objset.obj_by_id.keys())
+ if spdxid not in dep_provided:
+ bb.fatal(f"{spdxid} not found in {dep_path}")
+ provided_spdxids |= dep_provided
+ needed_spdxids |= dep_objset.missing_ids
+ merge_doc(dep_objset)
+ else:
+ missing_spdxids.add(spdxid)
+
+ bb.debug(1, "Linking...")
+ missing = self.link()
+ if missing != missing_spdxids:
+ bb.fatal(
+ f"Linked document doesn't match missing SPDX ID list. Got: {missing}\nExpected: {missing_spdxids}"
+ )
+
+ self.doc.imports = sorted(imports.values(), key=lambda e: e.externalSpdxId)
+
+ return missing_spdxids
+
+
+def load_jsonld(d, path, required=False):
+ deserializer = oe.spdx30.JSONLDDeserializer()
+ objset = ObjectSet(d)
+ try:
+ with path.open("rb") as f:
+ deserializer.read(f, objset)
+ except FileNotFoundError:
+ if required:
+ bb.fatal("No SPDX document named %s found" % path)
+ return None
+
+ if not objset.doc:
+ bb.fatal("SPDX Document %s has no SPDXDocument element" % path)
+ return None
+
+ objset.objects.remove(objset.doc)
+ return objset
+
+
+def jsonld_arch_path(d, arch, subdir, name, deploydir=None):
+ if deploydir is None:
+ deploydir = Path(d.getVar("DEPLOY_DIR_SPDX"))
+ return deploydir / arch / subdir / (name + ".spdx.json")
+
+
+def jsonld_hash_path(_id):
+ h = hashlib.sha256(_id.encode("utf-8")).hexdigest()
+
+ return Path("by-spdxid-hash") / h[:2], h
+
+
+def load_jsonld_by_arch(d, arch, subdir, name, *, required=False):
+ path = jsonld_arch_path(d, arch, subdir, name)
+ objset = load_jsonld(d, path, required=required)
+ if objset is not None:
+ return (objset, path)
+ return (None, None)
+
+
+def find_jsonld(d, subdir, name, *, required=False):
+ package_archs = d.getVar("SSTATE_ARCHS").split()
+ package_archs.reverse()
+
+ for arch in package_archs:
+ objset, path = load_jsonld_by_arch(d, arch, subdir, name)
+ if objset is not None:
+ return (objset, path)
+
+ if required:
+ bb.fatal("Could not find a %s SPDX document named %s" % (subdir, name))
+
+ return (None, None)
+
+
+def write_jsonld_doc(d, objset, dest):
+ if not isinstance(objset, ObjectSet):
+ bb.fatal("Only an ObjsetSet can be serialized")
+ return
+
+ if not objset.doc:
+ bb.fatal("ObjectSet is missing a SpdxDocument")
+ return
+
+ objset.doc.rootElement = sorted(list(set(objset.doc.rootElement)))
+ objset.doc.profileConformance = sorted(
+ list(
+ getattr(oe.spdx30.ProfileIdentifierType, p)
+ for p in d.getVar("SPDX_PROFILES").split()
+ )
+ )
+
+ dest.parent.mkdir(exist_ok=True, parents=True)
+
+ if d.getVar("SPDX_PRETTY") == "1":
+ serializer = oe.spdx30.JSONLDSerializer(
+ indent=2,
+ )
+ else:
+ serializer = oe.spdx30.JSONLDInlineSerializer()
+
+ objset.objects.add(objset.doc)
+ with dest.open("wb") as f:
+ serializer.write(objset, f, force_at_graph=True)
+ objset.objects.remove(objset.doc)
+
+
+def write_recipe_jsonld_doc(
+ d,
+ objset,
+ subdir,
+ deploydir,
+ *,
+ create_spdx_id_links=True,
+):
+ pkg_arch = d.getVar("SSTATE_PKGARCH")
+
+ dest = jsonld_arch_path(d, pkg_arch, subdir, objset.doc.name, deploydir=deploydir)
+
+ def link_id(_id):
+ hash_path = jsonld_hash_path(_id)
+
+ link_name = jsonld_arch_path(
+ d,
+ pkg_arch,
+ *hash_path,
+ deploydir=deploydir,
+ )
+ try:
+ link_name.parent.mkdir(exist_ok=True, parents=True)
+ link_name.symlink_to(os.path.relpath(dest, link_name.parent))
+ except:
+ target = link_name.readlink()
+ bb.warn(
+ f"Unable to link {_id} in {dest} as {link_name}. Already points to {target}"
+ )
+ raise
+
+ return hash_path[-1]
+
+ objset.add_aliases()
+
+ for o in objset.foreach_type(oe.spdx30.Element):
+ if not o._id or o._id.startswith("_:"):
+ continue
+
+ if create_spdx_id_links:
+ ext = None
+ for e in o.extension:
+ if not isinstance(e, OELinkExtension):
+ continue
+
+ ext = e
+ break
+
+ if ext is None:
+ ext = OELinkExtension(link_spdx_id=True)
+ o.extension.append(ext)
+
+ if ext.link_spdx_id:
+ ext.link_name = link_id(o._id)
+
+ alias_ext = get_alias(o)
+ if alias_ext is not None and alias_ext.alias:
+ alias_ext.link_name = link_id(alias_ext.alias)
+
+ write_jsonld_doc(d, objset, dest)
+
+
+def find_root_obj_in_jsonld(d, subdir, fn_name, obj_type, **attr_filter):
+ objset, fn = find_jsonld(d, subdir, fn_name, required=True)
+
+ spdx_obj = objset.find_root(obj_type, **attr_filter)
+ if not spdx_obj:
+ bb.fatal("No root %s found in %s" % (obj_type.__name__, fn))
+
+ return spdx_obj, objset
+
+
+def load_obj_in_jsonld(d, arch, subdir, fn_name, obj_type, **attr_filter):
+ objset, fn = load_jsonld_by_arch(d, arch, subdir, fn_name, required=True)
+
+ spdx_obj = objset.find_filter(obj_type, **attr_filter)
+ if not spdx_obj:
+ bb.fatal("No %s found in %s" % (obj_type.__name__, fn))
+
+ return spdx_obj, objset
+
+
+def find_by_spdxid(d, spdxid, *, required=False):
+ return find_jsonld(d, *jsonld_hash_path(spdxid), required=required)
+
+
+def create_sbom(d, name, root_elements, add_objectsets=[]):
+ objset = ObjectSet.new_objset(d, name)
+
+ sbom = objset.add(
+ oe.spdx30.software_Sbom(
+ _id=objset.new_spdxid("sbom", name),
+ name=name,
+ creationInfo=objset.doc.creationInfo,
+ software_sbomType=[oe.spdx30.software_SbomType.build],
+ rootElement=root_elements,
+ )
+ )
+
+ missing_spdxids = objset.expand_collection(add_objectsets=add_objectsets)
+ if missing_spdxids:
+ bb.warn(
+ "The following SPDX IDs were unable to be resolved:\n "
+ + "\n ".join(sorted(list(missing_spdxids)))
+ )
+
+ # Filter out internal extensions from final SBoMs
+ objset.remove_internal_extensions()
+
+ # SBoM should be the only root element of the document
+ objset.doc.rootElement = [sbom]
+
+ # De-duplicate licenses
+ unique = set()
+ dedup = {}
+ for lic in objset.foreach_type(oe.spdx30.simplelicensing_LicenseExpression):
+ for u in unique:
+ if (
+ u.simplelicensing_licenseExpression
+ == lic.simplelicensing_licenseExpression
+ and u.simplelicensing_licenseListVersion
+ == lic.simplelicensing_licenseListVersion
+ ):
+ dedup[lic] = u
+ break
+ else:
+ unique.add(lic)
+
+ if dedup:
+ for rel in objset.foreach_filter(
+ oe.spdx30.Relationship,
+ relationshipType=oe.spdx30.RelationshipType.hasDeclaredLicense,
+ ):
+ rel.to = [dedup.get(to, to) for to in rel.to]
+
+ for rel in objset.foreach_filter(
+ oe.spdx30.Relationship,
+ relationshipType=oe.spdx30.RelationshipType.hasConcludedLicense,
+ ):
+ rel.to = [dedup.get(to, to) for to in rel.to]
+
+ for k, v in dedup.items():
+ bb.debug(1, f"Removing duplicate License {k._id} -> {v._id}")
+ objset.objects.remove(k)
+
+ objset.create_index()
+
+ return objset, sbom
new file mode 100644
@@ -0,0 +1,5413 @@
+#! /usr/bin/env python3
+#
+# Generated Python bindings from a SHACL model
+#
+# This file was automatically generated by shacl2code. DO NOT MANUALLY MODIFY IT
+#
+# SPDX-License-Identifier: MIT
+
+import functools
+import hashlib
+import json
+import re
+import time
+import threading
+from contextlib import contextmanager
+from datetime import datetime, timezone, timedelta
+from enum import Enum
+from abc import ABC, abstractmethod
+
+
+def check_type(obj, types):
+ if not isinstance(obj, types):
+ if isinstance(types, (list, tuple)):
+ raise TypeError(
+ f"Value must be one of type: {', '.join(t.__name__ for t in types)}. Got {type(obj)}"
+ )
+ raise TypeError(f"Value must be of type {types.__name__}. Got {type(obj)}")
+
+
+class Property(ABC):
+ """
+ A generic SHACL object property. The different types will derive from this
+ class
+ """
+
+ def __init__(self, *, pattern=None):
+ self.pattern = pattern
+
+ def init(self):
+ return None
+
+ def validate(self, value):
+ check_type(value, self.VALID_TYPES)
+ if self.pattern is not None and not re.search(
+ self.pattern, self.to_string(value)
+ ):
+ raise ValueError(
+ f"Value is not correctly formatted. Got '{self.to_string(value)}'"
+ )
+
+ def set(self, value):
+ return value
+
+ def check_min_count(self, value, min_count):
+ return min_count == 1
+
+ def check_max_count(self, value, max_count):
+ return max_count == 1
+
+ def elide(self, value):
+ return value is None
+
+ def walk(self, value, callback, path):
+ callback(value, path)
+
+ def iter_objects(self, value, recursive, visited):
+ return []
+
+ def link_prop(self, value, objectset, missing, visited):
+ return value
+
+ def to_string(self, value):
+ return str(value)
+
+ @abstractmethod
+ def encode(self, encoder, value, state):
+ pass
+
+ @abstractmethod
+ def decode(self, decoder, *, objectset=None):
+ pass
+
+
+class StringProp(Property):
+ """
+ A scalar string property for an SHACL object
+ """
+
+ VALID_TYPES = str
+
+ def set(self, value):
+ return str(value)
+
+ def encode(self, encoder, value, state):
+ encoder.write_string(value)
+
+ def decode(self, decoder, *, objectset=None):
+ return decoder.read_string()
+
+
+class AnyURIProp(StringProp):
+ def encode(self, encoder, value, state):
+ encoder.write_iri(value)
+
+ def decode(self, decoder, *, objectset=None):
+ return decoder.read_iri()
+
+
+class DateTimeProp(Property):
+ """
+ A Date/Time Object with optional timezone
+ """
+
+ VALID_TYPES = datetime
+ UTC_FORMAT_STR = "%Y-%m-%dT%H:%M:%SZ"
+ REGEX = r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(Z|[+-]\d{2}:\d{2})?$"
+
+ def set(self, value):
+ return self._normalize(value)
+
+ def encode(self, encoder, value, state):
+ encoder.write_datetime(self.to_string(value))
+
+ def decode(self, decoder, *, objectset=None):
+ s = decoder.read_datetime()
+ if s is None:
+ return None
+ v = self.from_string(s)
+ return self._normalize(v)
+
+ def _normalize(self, value):
+ if value.utcoffset() is None:
+ value = value.astimezone()
+ offset = value.utcoffset()
+ if offset % timedelta(minutes=1):
+ offset = offset - (offset % timedelta(minutes=1))
+ value = value.replace(tzinfo=timezone(offset))
+ value = value.replace(microsecond=0)
+ return value
+
+ def to_string(self, value):
+ value = self._normalize(value)
+ if value.tzinfo == timezone.utc:
+ return value.strftime(self.UTC_FORMAT_STR)
+ return value.isoformat()
+
+ def from_string(self, value):
+ if not re.match(self.REGEX, value):
+ raise ValueError(f"'{value}' is not a correctly formatted datetime")
+ if "Z" in value:
+ d = datetime(
+ *(time.strptime(value, self.UTC_FORMAT_STR)[0:6]),
+ tzinfo=timezone.utc,
+ )
+ else:
+ d = datetime.fromisoformat(value)
+
+ return self._normalize(d)
+
+
+class DateTimeStampProp(DateTimeProp):
+ """
+ A Date/Time Object with required timestamp
+ """
+
+ REGEX = r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(Z|[+-]\d{2}:\d{2})$"
+
+
+class IntegerProp(Property):
+ VALID_TYPES = int
+
+ def set(self, value):
+ return int(value)
+
+ def encode(self, encoder, value, state):
+ encoder.write_integer(value)
+
+ def decode(self, decoder, *, objectset=None):
+ return decoder.read_integer()
+
+
+class PositiveIntegerProp(IntegerProp):
+ def validate(self, value):
+ super().validate(value)
+ if value < 1:
+ raise ValueError(f"Value must be >=1. Got {value}")
+
+
+class NonNegativeIntegerProp(IntegerProp):
+ def validate(self, value):
+ super().validate(value)
+ if value < 0:
+ raise ValueError(f"Value must be >= 0. Got {value}")
+
+
+class BooleanProp(Property):
+ VALID_TYPES = bool
+
+ def set(self, value):
+ return bool(value)
+
+ def encode(self, encoder, value, state):
+ encoder.write_bool(value)
+
+ def decode(self, decoder, *, objectset=None):
+ return decoder.read_bool()
+
+
+class FloatProp(Property):
+ VALID_TYPES = (float, int)
+
+ def set(self, value):
+ return float(value)
+
+ def encode(self, encoder, value, state):
+ encoder.write_float(value)
+
+ def decode(self, decoder, *, objectset=None):
+ return decoder.read_float()
+
+
+class ObjectProp(Property):
+ """
+ A scalar SHACL object property of a SHACL object
+ """
+
+ def __init__(self, cls, required):
+ super().__init__()
+ self.cls = cls
+ self.required = required
+
+ def init(self):
+ if self.required:
+ return self.cls()
+ return None
+
+ def validate(self, value):
+ check_type(value, (self.cls, str))
+
+ def walk(self, value, callback, path):
+ if value is None:
+ return
+
+ if not isinstance(value, str):
+ value.walk(callback, path)
+ else:
+ callback(value, path)
+
+ def iter_objects(self, value, recursive, visited):
+ if value is None or isinstance(value, str):
+ return
+
+ if value not in visited:
+ visited.add(value)
+ yield value
+
+ if recursive:
+ for c in value.iter_objects(recursive=True, visited=visited):
+ yield c
+
+ def encode(self, encoder, value, state):
+ if value is None:
+ raise ValueError("Object cannot be None")
+
+ if isinstance(value, str):
+ encoder.write_iri(value)
+ return
+
+ return value.encode(encoder, state)
+
+ def decode(self, decoder, *, objectset=None):
+ iri = decoder.read_iri()
+ if iri is None:
+ return self.cls.decode(decoder, objectset=objectset)
+
+ if objectset is None:
+ return iri
+
+ obj = objectset.find_by_id(iri)
+ if obj is None:
+ return iri
+
+ self.validate(obj)
+ return obj
+
+ def link_prop(self, value, objectset, missing, visited):
+ if value is None:
+ return value
+
+ if isinstance(value, str):
+ o = objectset.find_by_id(value)
+ if o is not None:
+ self.validate(o)
+ return o
+
+ if missing is not None:
+ missing.add(value)
+
+ return value
+
+ # De-duplicate IDs
+ if value._id:
+ value = objectset.find_by_id(value._id, value)
+ self.validate(value)
+
+ value.link_helper(objectset, missing, visited)
+ return value
+
+
+class ListProxy(object):
+ def __init__(self, prop, data=None):
+ if data is None:
+ self.__data = []
+ else:
+ self.__data = data
+ self.__prop = prop
+
+ def append(self, value):
+ self.__prop.validate(value)
+ self.__data.append(self.__prop.set(value))
+
+ def insert(self, idx, value):
+ self.__prop.validate(value)
+ self.__data.insert(idx, self.__prop.set(value))
+
+ def extend(self, items):
+ for i in items:
+ self.append(i)
+
+ def sort(self, *args, **kwargs):
+ self.__data.sort(*args, **kwargs)
+
+ def __getitem__(self, key):
+ return self.__data[key]
+
+ def __setitem__(self, key, value):
+ if isinstance(key, slice):
+ for v in value:
+ self.__prop.validate(v)
+ self.__data[key] = [self.__prop.set(v) for v in value]
+ else:
+ self.__prop.validate(value)
+ self.__data[key] = self.__prop.set(value)
+
+ def __delitem__(self, key):
+ del self.__data[key]
+
+ def __contains__(self, item):
+ return item in self.__data
+
+ def __iter__(self):
+ return iter(self.__data)
+
+ def __len__(self):
+ return len(self.__data)
+
+ def __str__(self):
+ return str(self.__data)
+
+ def __repr__(self):
+ return repr(self.__data)
+
+ def __eq__(self, other):
+ if isinstance(other, ListProxy):
+ return self.__data == other.__data
+
+ return self.__data == other
+
+
+class ListProp(Property):
+ """
+ A list of SHACL properties
+ """
+
+ VALID_TYPES = (list, ListProxy)
+
+ def __init__(self, prop):
+ super().__init__()
+ self.prop = prop
+
+ def init(self):
+ return ListProxy(self.prop)
+
+ def validate(self, value):
+ super().validate(value)
+
+ for i in value:
+ self.prop.validate(i)
+
+ def set(self, value):
+ if isinstance(value, ListProxy):
+ return value
+
+ return ListProxy(self.prop, [self.prop.set(d) for d in value])
+
+ def check_min_count(self, value, min_count):
+ check_type(value, ListProxy)
+ return len(value) >= min_count
+
+ def check_max_count(self, value, max_count):
+ check_type(value, ListProxy)
+ return len(value) <= max_count
+
+ def elide(self, value):
+ check_type(value, ListProxy)
+ return len(value) == 0
+
+ def walk(self, value, callback, path):
+ callback(value, path)
+ for idx, v in enumerate(value):
+ self.prop.walk(v, callback, path + [f"[{idx}]"])
+
+ def iter_objects(self, value, recursive, visited):
+ for v in value:
+ for c in self.prop.iter_objects(v, recursive, visited):
+ yield c
+
+ def link_prop(self, value, objectset, missing, visited):
+ if isinstance(value, ListProxy):
+ data = [self.prop.link_prop(v, objectset, missing, visited) for v in value]
+ else:
+ data = [self.prop.link_prop(v, objectset, missing, visited) for v in value]
+
+ return ListProxy(self.prop, data=data)
+
+ def encode(self, encoder, value, state):
+ check_type(value, ListProxy)
+
+ with encoder.write_list() as list_s:
+ for v in value:
+ with list_s.write_list_item() as item_s:
+ self.prop.encode(item_s, v, state)
+
+ def decode(self, decoder, *, objectset=None):
+ data = []
+ for val_d in decoder.read_list():
+ v = self.prop.decode(val_d, objectset=objectset)
+ self.prop.validate(v)
+ data.append(v)
+
+ return ListProxy(self.prop, data=data)
+
+
+class EnumProp(Property):
+ VALID_TYPES = str
+
+ def __init__(self, values, *, pattern=None):
+ super().__init__(pattern=pattern)
+ self.values = values
+
+ def validate(self, value):
+ super().validate(value)
+
+ valid_values = (iri for iri, _ in self.values)
+ if value not in valid_values:
+ raise ValueError(
+ f"'{value}' is not a valid value. Choose one of {' '.join(valid_values)}"
+ )
+
+ def encode(self, encoder, value, state):
+ for iri, compact in self.values:
+ if iri == value:
+ encoder.write_enum(value, self, compact)
+ return
+
+ encoder.write_enum(value, self)
+
+ def decode(self, decoder, *, objectset=None):
+ v = decoder.read_enum(self)
+ for iri, compact in self.values:
+ if v == compact:
+ return iri
+ return v
+
+
+class NodeKind(Enum):
+ BlankNode = 1
+ IRI = 2
+ BlankNodeOrIRI = 3
+
+
+def is_IRI(s):
+ if not isinstance(s, str):
+ return False
+ if s.startswith("_:"):
+ return False
+ if ":" not in s:
+ return False
+ return True
+
+
+def is_blank_node(s):
+ if not isinstance(s, str):
+ return False
+ if not s.startswith("_:"):
+ return False
+ return True
+
+
+def register(type_iri, compact_type=None):
+ def add_class(key, c):
+ assert (
+ key not in SHACLObject.CLASSES
+ ), f"{key} already registered to {SHACLObject.CLASSES[key].__name__}"
+ SHACLObject.CLASSES[key] = c
+
+ def decorator(c):
+ assert issubclass(
+ c, SHACLObject
+ ), f"{c.__name__} is not derived from SHACLObject"
+
+ c._OBJ_TYPE = type_iri
+ add_class(type_iri, c)
+
+ c._OBJ_COMPACT_TYPE = compact_type
+ if compact_type:
+ add_class(compact_type, c)
+
+ # Registration is deferred until the first instance of class is created
+ # so that it has access to any other defined class
+ c._NEEDS_REG = True
+ return c
+
+ return decorator
+
+
+register_lock = threading.Lock()
+
+
+@functools.total_ordering
+class SHACLObject(object):
+ CLASSES = {}
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = None
+
+ def __init__(self, **kwargs):
+ with register_lock:
+ cls = self.__class__
+ if cls._NEEDS_REG:
+ cls._OBJ_PROPERTIES = {}
+ cls._OBJ_IRIS = {}
+ cls._register_props()
+ cls._NEEDS_REG = False
+
+ self._obj_data = {}
+ self._obj_metadata = {}
+
+ for iri, prop, _, _, _, _ in self.__iter_props():
+ self._obj_data[iri] = prop.init()
+
+ for k, v in kwargs.items():
+ setattr(self, k, v)
+
+ @classmethod
+ def _register_props(cls):
+ cls._add_property("_id", StringProp(), iri="@id")
+
+ @classmethod
+ def _add_property(
+ cls,
+ pyname,
+ prop,
+ iri,
+ min_count=None,
+ max_count=None,
+ compact=None,
+ ):
+ if pyname in cls._OBJ_IRIS:
+ raise KeyError(f"'{pyname}' is already defined for '{cls.__name__}'")
+ if iri in cls._OBJ_PROPERTIES:
+ raise KeyError(f"'{iri}' is already defined for '{cls.__name__}'")
+
+ while hasattr(cls, pyname):
+ pyname = pyname + "_"
+
+ cls._OBJ_IRIS[pyname] = iri
+ cls._OBJ_PROPERTIES[iri] = (prop, min_count, max_count, pyname, compact)
+
+ def __setattr__(self, name, value):
+ if name.startswith("_obj_"):
+ return super().__setattr__(name, value)
+
+ if name == self.ID_ALIAS:
+ name = "_id"
+
+ try:
+ iri = self._OBJ_IRIS[name]
+ self[iri] = value
+ except KeyError:
+ raise AttributeError(
+ f"'{name}' is not a valid property of {self.__class__.__name__}"
+ )
+
+ def __getattr__(self, name):
+ if name.startswith("_obj_"):
+ return self.__dict__[name]
+
+ if name == "_metadata":
+ return self._obj_metadata
+
+ if name == "_IRI":
+ return self._OBJ_IRIS
+
+ if name == self.ID_ALIAS:
+ name = "_id"
+
+ if name == "TYPE":
+ return self.__class__._OBJ_TYPE
+
+ if name == "COMPACT_TYPE":
+ return self.__class__._OBJ_COMPACT_TYPE
+
+ try:
+ iri = self._OBJ_IRIS[name]
+ return self[iri]
+ except KeyError:
+ raise AttributeError(
+ f"'{name}' is not a valid property of {self.__class__.__name__}"
+ )
+
+ def __delattr__(self, name):
+ if name == self.ID_ALIAS:
+ name = "_id"
+
+ try:
+ iri = self._OBJ_IRIS[name]
+ del self[iri]
+ except KeyError:
+ raise AttributeError(
+ f"'{name}' is not a valid property of {self.__class__.__name__}"
+ )
+
+ def __get_prop(self, iri):
+ if iri not in self._OBJ_PROPERTIES:
+ raise KeyError(
+ f"'{iri}' is not a valid property of {self.__class__.__name__}"
+ )
+
+ return self._OBJ_PROPERTIES[iri]
+
+ def __iter_props(self):
+ for iri, v in self._OBJ_PROPERTIES.items():
+ yield iri, *v
+
+ def __getitem__(self, iri):
+ return self._obj_data[iri]
+
+ def __setitem__(self, iri, value):
+ if iri == "@id":
+ if self.NODE_KIND == NodeKind.BlankNode:
+ if not is_blank_node(value):
+ raise ValueError(
+ f"{self.__class__.__name__} ({id(self)}) can only have local reference. Property '{iri}' cannot be set to '{value}' and must start with '_:'"
+ )
+ elif self.NODE_KIND == NodeKind.IRI:
+ if not is_IRI(value):
+ raise ValueError(
+ f"{self.__class__.__name__} ({id(self)}) can only have an IRI value. Property '{iri}' cannot be set to '{value}'"
+ )
+ else:
+ if not is_blank_node(value) and not is_IRI(value):
+ raise ValueError(
+ f"{self.__class__.__name__} ({id(self)}) Has invalid Property '{iri}' '{value}'. Must be a blank node or IRI"
+ )
+
+ prop, _, _, _, _ = self.__get_prop(iri)
+ prop.validate(value)
+ self._obj_data[iri] = prop.set(value)
+
+ def __delitem__(self, iri):
+ prop, _, _, _, _ = self.__get_prop(iri)
+ self._obj_data[iri] = prop.init()
+
+ def __iter__(self):
+ return self._OBJ_PROPERTIES.keys()
+
+ def walk(self, callback, path=None):
+ """
+ Walk object tree, invoking the callback for each item
+
+ Callback has the form:
+
+ def callback(object, path):
+ """
+ if path is None:
+ path = ["."]
+
+ if callback(self, path):
+ for iri, prop, _, _, _, _ in self.__iter_props():
+ prop.walk(self._obj_data[iri], callback, path + [f".{iri}"])
+
+ def property_keys(self):
+ for iri, _, _, _, pyname, compact in self.__iter_props():
+ if iri == "@id":
+ compact = self.ID_ALIAS
+ yield pyname, iri, compact
+
+ def iter_objects(self, *, recursive=False, visited=None):
+ """
+ Iterate of all objects that are a child of this one
+ """
+ if visited is None:
+ visited = set()
+
+ for iri, prop, _, _, _, _ in self.__iter_props():
+ for c in prop.iter_objects(
+ self._obj_data[iri], recursive=recursive, visited=visited
+ ):
+ yield c
+
+ def encode(self, encoder, state):
+ idname = self.ID_ALIAS or self._OBJ_IRIS["_id"]
+ if not self._id and self.NODE_KIND == NodeKind.IRI:
+ raise ValueError(
+ f"{self.__class__.__name__} ({id(self)}) must have a IRI for property '{idname}'"
+ )
+
+ if state.is_written(self):
+ encoder.write_iri(state.get_object_id(self))
+ return
+
+ state.add_written(self)
+
+ with encoder.write_object(
+ self,
+ state.get_object_id(self),
+ bool(self._id) or state.is_refed(self),
+ ) as obj_s:
+ self._encode_properties(obj_s, state)
+
+ def _encode_properties(self, encoder, state):
+ for iri, prop, min_count, max_count, pyname, compact in self.__iter_props():
+ value = self._obj_data[iri]
+ if prop.elide(value):
+ if min_count:
+ raise ValueError(
+ f"Property '{pyname}' in {self.__class__.__name__} ({id(self)}) is required (currently {value!r})"
+ )
+ continue
+
+ if min_count is not None:
+ if not prop.check_min_count(value, min_count):
+ raise ValueError(
+ f"Property '{pyname}' in {self.__class__.__name__} ({id(self)}) requires a minimum of {min_count} elements"
+ )
+
+ if max_count is not None:
+ if not prop.check_max_count(value, max_count):
+ raise ValueError(
+ f"Property '{pyname}' in {self.__class__.__name__} ({id(self)}) requires a maximum of {max_count} elements"
+ )
+
+ if iri == self._OBJ_IRIS["_id"]:
+ continue
+
+ with encoder.write_property(iri, compact) as prop_s:
+ prop.encode(prop_s, value, state)
+
+ @classmethod
+ def _make_object(cls, typ):
+ if typ not in cls.CLASSES:
+ raise TypeError(f"Unknown type {typ}")
+
+ return cls.CLASSES[typ]()
+
+ @classmethod
+ def decode(cls, decoder, *, objectset=None):
+ typ, obj_d = decoder.read_object()
+ if typ is None:
+ raise TypeError("Unable to determine type for object")
+
+ obj = cls._make_object(typ)
+ for key in (obj.ID_ALIAS, obj._OBJ_IRIS["_id"]):
+ with obj_d.read_property(key) as prop_d:
+ if prop_d is None:
+ continue
+
+ _id = prop_d.read_iri()
+ if _id is None:
+ raise TypeError(f"Object key '{key}' is the wrong type")
+
+ obj._id = _id
+ break
+
+ if obj.NODE_KIND == NodeKind.IRI and not obj._id:
+ raise ValueError("Object is missing required IRI")
+
+ if objectset is not None:
+ if obj._id:
+ v = objectset.find_by_id(_id)
+ if v is not None:
+ return v
+
+ obj._decode_properties(obj_d, objectset=objectset)
+
+ if objectset is not None:
+ objectset.add_index(obj)
+ return obj
+
+ def _decode_properties(self, decoder, objectset=None):
+ for key in decoder.object_keys():
+ if not self._decode_prop(decoder, key, objectset=objectset):
+ raise KeyError(f"Unknown property '{key}'")
+
+ def _decode_prop(self, decoder, key, objectset=None):
+ if key in (self._OBJ_IRIS["_id"], self.ID_ALIAS):
+ return True
+
+ for iri, prop, _, _, _, compact in self.__iter_props():
+ if compact == key:
+ read_key = compact
+ elif iri == key:
+ read_key = iri
+ else:
+ continue
+
+ with decoder.read_property(read_key) as prop_d:
+ v = prop.decode(prop_d, objectset=objectset)
+ prop.validate(v)
+ self._obj_data[iri] = v
+ return True
+
+ return False
+
+ def link_helper(self, objectset, missing, visited):
+ if self in visited:
+ return
+
+ visited.add(self)
+
+ for iri, prop, _, _, _, _ in self.__iter_props():
+ self._obj_data[iri] = prop.link_prop(
+ self._obj_data[iri],
+ objectset,
+ missing,
+ visited,
+ )
+
+ def __str__(self):
+ parts = [
+ f"{self.__class__.__name__}(",
+ ]
+ if self._id:
+ parts.append(f"@id='{self._id}'")
+ parts.append(")")
+ return "".join(parts)
+
+ def __hash__(self):
+ return super().__hash__()
+
+ def __eq__(self, other):
+ return super().__eq__(other)
+
+ def __lt__(self, other):
+ def sort_key(obj):
+ if isinstance(obj, str):
+ return (obj, "", "", "")
+ return (
+ obj._id or "",
+ obj.TYPE,
+ getattr(obj, "name", None) or "",
+ id(obj),
+ )
+
+ return sort_key(self) < sort_key(other)
+
+
+class SHACLExtensibleObject(object):
+ CLOSED = False
+
+ def __init__(self, typ=None, **kwargs):
+ super().__init__(**kwargs)
+ if typ:
+ self._obj_TYPE = (typ, None)
+ else:
+ self._obj_TYPE = (self._OBJ_TYPE, self._OBJ_COMPACT_TYPE)
+
+ @classmethod
+ def _make_object(cls, typ):
+ # Check for a known type, and if so, deserialize as that instead
+ if typ in cls.CLASSES:
+ return cls.CLASSES[typ]()
+
+ obj = cls(typ)
+ return obj
+
+ def _decode_properties(self, decoder, objectset=None):
+ if self.CLOSED:
+ super()._decode_properties(decoder, objectset=objectset)
+ return
+
+ for key in decoder.object_keys():
+ if self._decode_prop(decoder, key, objectset=objectset):
+ continue
+
+ if not is_IRI(key):
+ raise KeyError(
+ f"Extensible object properties must be IRIs. Got '{key}'"
+ )
+
+ with decoder.read_property(key) as prop_d:
+ self._obj_data[key] = prop_d.read_value()
+
+ def _encode_properties(self, encoder, state):
+ def encode_value(encoder, v):
+ if isinstance(v, bool):
+ encoder.write_bool(v)
+ elif isinstance(v, str):
+ encoder.write_string(v)
+ elif isinstance(v, int):
+ encoder.write_integer(v)
+ elif isinstance(v, float):
+ encoder.write_float(v)
+ else:
+ raise TypeError(
+ f"Unsupported serialized type {type(v)} with value '{v}'"
+ )
+
+ super()._encode_properties(encoder, state)
+ if self.CLOSED:
+ return
+
+ for iri, value in self._obj_data.items():
+ if iri in self._OBJ_PROPERTIES:
+ continue
+
+ with encoder.write_property(iri) as prop_s:
+ encode_value(prop_s, value)
+
+ def __setitem__(self, iri, value):
+ try:
+ super().__setitem__(iri, value)
+ except KeyError:
+ if self.CLOSED:
+ raise
+
+ if not is_IRI(iri):
+ raise KeyError(f"Key '{iri}' must be an IRI")
+ self._obj_data[iri] = value
+
+ def __delitem__(self, iri):
+ try:
+ super().__delitem__(iri)
+ except KeyError:
+ if self.CLOSED:
+ raise
+
+ if not is_IRI(iri):
+ raise KeyError(f"Key '{iri}' must be an IRI")
+ del self._obj_data[iri]
+
+ def __getattr__(self, name):
+ if name == "TYPE":
+ return self._obj_TYPE[0]
+ if name == "COMPACT_TYPE":
+ return self._obj_TYPE[1]
+ return super().__getattr__(name)
+
+ def property_keys(self):
+ iris = set()
+ for pyname, iri, compact in super().property_keys():
+ iris.add(iri)
+ yield pyname, iri, compact
+
+ if self.CLOSED:
+ return
+
+ for iri in self._obj_data.keys():
+ if iri not in iris:
+ yield None, iri, None
+
+
+class SHACLObjectSet(object):
+ def __init__(self, objects=[], *, link=False):
+ self.objects = set()
+ self.missing_ids = set()
+ for o in objects:
+ self.objects.add(o)
+ self.create_index()
+ if link:
+ self._link()
+
+ def create_index(self):
+ """
+ (re)Create object index
+
+ Creates or recreates the indices for the object set to enable fast
+ lookup. All objects and their children are walked and indexed
+ """
+ self.obj_by_id = {}
+ self.obj_by_type = {}
+ for o in self.foreach():
+ self.add_index(o)
+
+ def add_index(self, obj):
+ """
+ Add object to index
+
+ Adds the object to all appropriate indices
+ """
+
+ def reg_type(typ, compact, o, exact):
+ self.obj_by_type.setdefault(typ, set()).add((exact, o))
+ if compact:
+ self.obj_by_type.setdefault(compact, set()).add((exact, o))
+
+ if not isinstance(obj, SHACLObject):
+ raise TypeError("Object is not of type SHACLObject")
+
+ for typ in SHACLObject.CLASSES.values():
+ if isinstance(obj, typ):
+ reg_type(
+ typ._OBJ_TYPE, typ._OBJ_COMPACT_TYPE, obj, obj.__class__ is typ
+ )
+
+ # This covers custom extensions
+ reg_type(obj.TYPE, obj.COMPACT_TYPE, obj, True)
+
+ if not obj._id:
+ return
+
+ self.missing_ids.discard(obj._id)
+
+ if obj._id in self.obj_by_id:
+ return
+
+ self.obj_by_id[obj._id] = obj
+
+ def add(self, obj):
+ """
+ Add object to object set
+
+ Adds a SHACLObject to the object set and index it.
+
+ NOTE: Child objects of the attached object are not indexes
+ """
+ if not isinstance(obj, SHACLObject):
+ raise TypeError("Object is not of type SHACLObject")
+
+ if obj not in self.objects:
+ self.objects.add(obj)
+ self.add_index(obj)
+ return obj
+
+ def update(self, *others):
+ """
+ Update object set adding all objects in each other iterable
+ """
+ for o in others:
+ for obj in o:
+ self.add(obj)
+
+ def __contains__(self, item):
+ """
+ Returns True if the item is in the object set
+ """
+ return item in self.objects
+
+ def link(self):
+ """
+ Link object set
+
+ Links the object in the object set by replacing string object
+ references with references to the objects themselves. e.g.
+ a property that references object "https://foo/bar" by a string
+ reference will be replaced with an actual reference to the object in
+ the object set with the same ID if it exists in the object set
+
+ If multiple objects with the same ID are found, the duplicates are
+ eliminated
+ """
+ self.create_index()
+ return self._link()
+
+ def _link(self):
+ self.missing_ids = set()
+ visited = set()
+
+ new_objects = set()
+
+ for o in self.objects:
+ if o._id:
+ o = self.find_by_id(o._id, o)
+ o.link_helper(self, self.missing_ids, visited)
+ new_objects.add(o)
+
+ self.objects = new_objects
+
+ # Remove blank nodes
+ obj_by_id = {}
+ for _id, obj in self.obj_by_id.items():
+ if _id.startswith("_:"):
+ del obj._id
+ else:
+ obj_by_id[_id] = obj
+ self.obj_by_id = obj_by_id
+
+ return self.missing_ids
+
+ def find_by_id(self, _id, default=None):
+ """
+ Find object by ID
+
+ Returns objects that match the specified ID, or default if there is no
+ object with the specified ID
+ """
+ if _id not in self.obj_by_id:
+ return default
+ return self.obj_by_id[_id]
+
+ def foreach(self):
+ """
+ Iterate over every object in the object set, and all child objects
+ """
+ visited = set()
+ for o in self.objects:
+ if o not in visited:
+ yield o
+ visited.add(o)
+
+ for child in o.iter_objects(recursive=True, visited=visited):
+ yield child
+
+ def foreach_type(self, typ, *, match_subclass=True):
+ """
+ Iterate over each object of a specified type (or subclass there of)
+
+ If match_subclass is True, and class derived from typ will also match
+ (similar to isinstance()). If False, only exact matches will be
+ returned
+ """
+ if not isinstance(typ, str):
+ if not issubclass(typ, SHACLObject):
+ raise TypeError(f"Type must be derived from SHACLObject, got {typ}")
+ typ = typ._OBJ_TYPE
+
+ if typ not in self.obj_by_type:
+ return
+
+ for exact, o in self.obj_by_type[typ]:
+ if match_subclass or exact:
+ yield o
+
+ def merge(self, *objectsets):
+ """
+ Merge object sets
+
+ Returns a new object set that is the combination of this object set and
+ all provided arguments
+ """
+ new_objects = set()
+ new_objects |= self.objects
+ for d in objectsets:
+ new_objects |= d.objects
+
+ return SHACLObjectSet(new_objects, link=True)
+
+ def encode(self, encoder, force_list=False):
+ """
+ Serialize a list of objects to a serialization encoder
+
+ If force_list is true, a list will always be written using the encoder.
+ """
+ ref_counts = {}
+ state = EncodeState()
+
+ def walk_callback(value, path):
+ nonlocal state
+ nonlocal ref_counts
+
+ if not isinstance(value, SHACLObject):
+ return True
+
+ # Remove blank node ID for re-assignment
+ if value._id and value._id.startswith("_:"):
+ del value._id
+
+ if value._id:
+ state.add_refed(value)
+
+ # If the object is referenced more than once, add it to the set of
+ # referenced objects
+ ref_counts.setdefault(value, 0)
+ ref_counts[value] += 1
+ if ref_counts[value] > 1:
+ state.add_refed(value)
+ return False
+
+ return True
+
+ for o in self.objects:
+ if o._id:
+ state.add_refed(o)
+ o.walk(walk_callback)
+
+ use_list = force_list or len(self.objects) > 1
+
+ if use_list:
+ # If we are making a list add all the objects referred to by reference
+ # to the list
+ objects = list(self.objects | state.ref_objects)
+ else:
+ objects = list(self.objects)
+
+ objects.sort()
+
+ if use_list:
+ # Ensure top level objects are only written in the top level graph
+ # node, and referenced by ID everywhere else. This is done by setting
+ # the flag that indicates this object has been written for all the top
+ # level objects, then clearing it right before serializing the object.
+ #
+ # In this way, if an object is referenced before it is supposed to be
+ # serialized into the @graph, it will serialize as a string instead of
+ # the actual object
+ for o in objects:
+ state.written_objects.add(o)
+
+ with encoder.write_list() as list_s:
+ for o in objects:
+ # Allow this specific object to be written now
+ state.written_objects.remove(o)
+ with list_s.write_list_item() as item_s:
+ o.encode(item_s, state)
+
+ else:
+ objects[0].encode(encoder, state)
+
+ def decode(self, decoder):
+ self.create_index()
+
+ for obj_d in decoder.read_list():
+ o = SHACLObject.decode(obj_d, objectset=self)
+ self.objects.add(o)
+
+ self._link()
+
+
+class EncodeState(object):
+ def __init__(self):
+ self.ref_objects = set()
+ self.written_objects = set()
+ self.blank_objects = {}
+
+ def get_object_id(self, o):
+ if o._id:
+ return o._id
+
+ if o not in self.blank_objects:
+ _id = f"_:{o.__class__.__name__}{len(self.blank_objects)}"
+ self.blank_objects[o] = _id
+
+ return self.blank_objects[o]
+
+ def is_refed(self, o):
+ return o in self.ref_objects
+
+ def add_refed(self, o):
+ self.ref_objects.add(o)
+
+ def is_written(self, o):
+ return o in self.written_objects
+
+ def add_written(self, o):
+ self.written_objects.add(o)
+
+
+class Decoder(ABC):
+ @abstractmethod
+ def read_value(self):
+ """
+ Consume next item
+
+ Consumes the next item of any type
+ """
+ pass
+
+ @abstractmethod
+ def read_string(self):
+ """
+ Consume the next item as a string.
+
+ Returns the string value of the next item, or `None` if the next item
+ is not a string
+ """
+ pass
+
+ @abstractmethod
+ def read_datetime(self):
+ """
+ Consumes the next item as a date & time string
+
+ Returns the string value of the next item, if it is a ISO datetime, or
+ `None` if the next item is not a ISO datetime string.
+
+ Note that validation of the string is done by the caller, so a minimal
+ implementation can just check if the next item is a string without
+ worrying about the format
+ """
+ pass
+
+ @abstractmethod
+ def read_integer(self):
+ """
+ Consumes the next item as an integer
+
+ Returns the integer value of the next item, or `None` if the next item
+ is not an integer
+ """
+ pass
+
+ @abstractmethod
+ def read_iri(self):
+ """
+ Consumes the next item as an IRI string
+
+ Returns the string value of the next item an IRI, or `None` if the next
+ item is not an IRI.
+
+ The returned string should be either a fully-qualified IRI, or a blank
+ node ID
+ """
+ pass
+
+ @abstractmethod
+ def read_enum(self, e):
+ """
+ Consumes the next item as an Enum value string
+
+ Returns the fully qualified IRI of the next enum item, or `None` if the
+ next item is not an enum value.
+
+ The callee is responsible for validating that the returned IRI is
+ actually a member of the specified Enum, so the `Decoder` does not need
+ to check that, but can if it wishes
+ """
+ pass
+
+ @abstractmethod
+ def read_bool(self):
+ """
+ Consume the next item as a boolean value
+
+ Returns the boolean value of the next item, or `None` if the next item
+ is not a boolean
+ """
+ pass
+
+ @abstractmethod
+ def read_float(self):
+ """
+ Consume the next item as a float value
+
+ Returns the float value of the next item, or `None` if the next item is
+ not a float
+ """
+ pass
+
+ @abstractmethod
+ def read_list(self):
+ """
+ Consume the next item as a list generator
+
+ This should generate a `Decoder` object for each item in the list. The
+ generated `Decoder` can be used to read the corresponding item from the
+ list
+ """
+ pass
+
+ @abstractmethod
+ def read_object(self):
+ """
+ Consume next item as an object
+
+ A context manager that "enters" the next item as a object and yields a
+ `Decoder` that can read properties from it. If the next item is not an
+ object, yields `None`
+
+ Properties will be read out of the object using `read_property` and
+ `read_object_id`
+ """
+ pass
+
+ @abstractmethod
+ @contextmanager
+ def read_property(self, key):
+ """
+ Read property from object
+
+ A context manager that yields a `Decoder` that can be used to read the
+ value of the property with the given key in current object, or `None`
+ if the property does not exist in the current object.
+ """
+ pass
+
+ @abstractmethod
+ def object_keys(self):
+ """
+ Read property keys from an object
+
+ Iterates over all the serialized keys for the current object
+ """
+ pass
+
+ @abstractmethod
+ def read_object_id(self, alias=None):
+ """
+ Read current object ID property
+
+ Returns the ID of the current object if one is defined, or `None` if
+ the current object has no ID.
+
+ The ID must be a fully qualified IRI or a blank node
+
+ If `alias` is provided, is is a hint as to another name by which the ID
+ might be found, if the `Decoder` supports aliases for an ID
+ """
+ pass
+
+
+class JSONLDDecoder(Decoder):
+ def __init__(self, data, root=False):
+ self.data = data
+ self.root = root
+
+ def read_value(self):
+ if isinstance(self.data, str):
+ try:
+ return float(self.data)
+ except ValueError:
+ pass
+ return self.data
+
+ def read_string(self):
+ if isinstance(self.data, str):
+ return self.data
+ return None
+
+ def read_datetime(self):
+ return self.read_string()
+
+ def read_integer(self):
+ if isinstance(self.data, int):
+ return self.data
+ return None
+
+ def read_bool(self):
+ if isinstance(self.data, bool):
+ return self.data
+ return None
+
+ def read_float(self):
+ if isinstance(self.data, (int, float, str)):
+ return float(self.data)
+ return None
+
+ def read_iri(self):
+ if isinstance(self.data, str):
+ return self.data
+ return None
+
+ def read_enum(self, e):
+ if isinstance(self.data, str):
+ return self.data
+ return None
+
+ def read_list(self):
+ if isinstance(self.data, (list, tuple, set)):
+ for v in self.data:
+ yield self.__class__(v)
+ else:
+ yield self
+
+ def __get_value(self, *keys):
+ for k in keys:
+ if k and k in self.data:
+ return self.data[k]
+ return None
+
+ @contextmanager
+ def read_property(self, key):
+ v = self.__get_value(key)
+ if v is not None:
+ yield self.__class__(v)
+ else:
+ yield None
+
+ def object_keys(self):
+ for key in self.data.keys():
+ if key in ("@type", "type"):
+ continue
+ if self.root and key == "@context":
+ continue
+ yield key
+
+ def read_object(self):
+ typ = self.__get_value("@type", "type")
+ if typ is not None:
+ return typ, self
+
+ return None, self
+
+ def read_object_id(self, alias=None):
+ return self.__get_value(alias, "@id")
+
+
+class JSONLDDeserializer(object):
+ def deserialize_data(self, data, objectset: SHACLObjectSet):
+ if "@graph" in data:
+ h = JSONLDDecoder(data["@graph"], True)
+ else:
+ h = JSONLDDecoder(data, True)
+
+ objectset.decode(h)
+
+ def read(self, f, objectset: SHACLObjectSet):
+ data = json.load(f)
+ self.deserialize_data(data, objectset)
+
+
+class Encoder(ABC):
+ @abstractmethod
+ def write_string(self, v):
+ """
+ Write a string value
+
+ Encodes the value as a string in the output
+ """
+ pass
+
+ @abstractmethod
+ def write_datetime(self, v):
+ """
+ Write a date & time string
+
+ Encodes the value as an ISO datetime string
+
+ Note: The provided string is already correctly encoded as an ISO datetime
+ """
+ pass
+
+ @abstractmethod
+ def write_integer(self, v):
+ """
+ Write an integer value
+
+ Encodes the value as an integer in the output
+ """
+ pass
+
+ @abstractmethod
+ def write_iri(self, v, compact=None):
+ """
+ Write IRI
+
+ Encodes the string as an IRI. Note that the string will be either a
+ fully qualified IRI or a blank node ID. If `compact` is provided and
+ the serialization supports compacted IRIs, it should be preferred to
+ the full IRI
+ """
+ pass
+
+ @abstractmethod
+ def write_enum(self, v, e, compact=None):
+ """
+ Write enum value IRI
+
+ Encodes the string enum value IRI. Note that the string will be a fully
+ qualified IRI. If `compact` is provided and the serialization supports
+ compacted IRIs, it should be preferred to the full IRI.
+ """
+ pass
+
+ @abstractmethod
+ def write_bool(self, v):
+ """
+ Write boolean
+
+ Encodes the value as a boolean in the output
+ """
+ pass
+
+ @abstractmethod
+ def write_float(self, v):
+ """
+ Write float
+
+ Encodes the value as a floating point number in the output
+ """
+ pass
+
+ @abstractmethod
+ @contextmanager
+ def write_object(self, o, _id, needs_id):
+ """
+ Write object
+
+ A context manager that yields an `Encoder` that can be used to encode
+ the given object properties.
+
+ The provided ID will always be a valid ID (even if o._id is `None`), in
+ case the `Encoder` _must_ have an ID. `needs_id` is a hint to indicate
+ to the `Encoder` if an ID must be written or not (if that is even an
+ option). If it is `True`, the `Encoder` must encode an ID for the
+ object. If `False`, the encoder is not required to encode an ID and may
+ omit it.
+
+ The ID will be either a fully qualified IRI, or a blank node IRI.
+
+ Properties will be written the object using `write_property`
+ """
+ pass
+
+ @abstractmethod
+ @contextmanager
+ def write_property(self, iri, compact=None):
+ """
+ Write object property
+
+ A context manager that yields an `Encoder` that can be used to encode
+ the value for the property with the given IRI in the current object
+
+ Note that the IRI will be fully qualified. If `compact` is provided and
+ the serialization supports compacted IRIs, it should be preferred to
+ the full IRI.
+ """
+ pass
+
+ @abstractmethod
+ @contextmanager
+ def write_list(self):
+ """
+ Write list
+
+ A context manager that yields an `Encoder` that can be used to encode a
+ list.
+
+ Each item of the list will be added using `write_list_item`
+ """
+ pass
+
+ @abstractmethod
+ @contextmanager
+ def write_list_item(self):
+ """
+ Write list item
+
+ A context manager that yields an `Encoder` that can be used to encode
+ the value for a list item
+ """
+ pass
+
+
+class JSONLDEncoder(Encoder):
+ def __init__(self, data=None):
+ self.data = data
+
+ def write_string(self, v):
+ self.data = v
+
+ def write_datetime(self, v):
+ self.data = v
+
+ def write_integer(self, v):
+ self.data = v
+
+ def write_iri(self, v, compact=None):
+ self.write_string(compact or v)
+
+ def write_enum(self, v, e, compact=None):
+ self.write_string(compact or v)
+
+ def write_bool(self, v):
+ self.data = v
+
+ def write_float(self, v):
+ self.data = str(v)
+
+ @contextmanager
+ def write_property(self, iri, compact=None):
+ s = self.__class__(None)
+ yield s
+ if s.data is not None:
+ self.data[compact or iri] = s.data
+
+ @contextmanager
+ def write_object(self, o, _id, needs_id):
+ self.data = {
+ "type": o.COMPACT_TYPE or o.TYPE,
+ }
+ if needs_id:
+ self.data[o.ID_ALIAS or "@id"] = _id
+ yield self
+
+ @contextmanager
+ def write_list(self):
+ self.data = []
+ yield self
+ if not self.data:
+ self.data = None
+
+ @contextmanager
+ def write_list_item(self):
+ s = self.__class__(None)
+ yield s
+ if s.data is not None:
+ self.data.append(s.data)
+
+
+class JSONLDSerializer(object):
+ def __init__(self, **args):
+ self.args = args
+
+ def serialize_data(
+ self,
+ objectset: SHACLObjectSet,
+ force_at_graph=False,
+ ):
+ h = JSONLDEncoder()
+ objectset.encode(h, force_at_graph)
+ data = {}
+ if len(CONTEXT_URLS) == 1:
+ data["@context"] = CONTEXT_URLS[0]
+ elif CONTEXT_URLS:
+ data["@context"] = CONTEXT_URLS
+
+ if isinstance(h.data, list):
+ data["@graph"] = h.data
+ else:
+ for k, v in h.data.items():
+ data[k] = v
+
+ return data
+
+ def write(
+ self,
+ objectset: SHACLObjectSet,
+ f,
+ force_at_graph=False,
+ **kwargs,
+ ):
+ """
+ Write a SHACLObjectSet to a JSON LD file
+
+ If force_at_graph is True, a @graph node will always be written
+ """
+ data = self.serialize_data(objectset, force_at_graph)
+
+ args = {**self.args, **kwargs}
+
+ sha1 = hashlib.sha1()
+ for chunk in json.JSONEncoder(**args).iterencode(data):
+ chunk = chunk.encode("utf-8")
+ f.write(chunk)
+ sha1.update(chunk)
+
+ return sha1.hexdigest()
+
+
+class JSONLDInlineEncoder(Encoder):
+ def __init__(self, f, sha1):
+ self.f = f
+ self.comma = False
+ self.sha1 = sha1
+
+ def write(self, s):
+ s = s.encode("utf-8")
+ self.f.write(s)
+ self.sha1.update(s)
+
+ def _write_comma(self):
+ if self.comma:
+ self.write(",")
+ self.comma = False
+
+ def write_string(self, v):
+ self.write(json.dumps(v))
+
+ def write_datetime(self, v):
+ self.write_string(v)
+
+ def write_integer(self, v):
+ self.write(f"{v}")
+
+ def write_iri(self, v, compact=None):
+ self.write_string(compact or v)
+
+ def write_enum(self, v, e, compact=None):
+ self.write_iri(v, compact)
+
+ def write_bool(self, v):
+ if v:
+ self.write("true")
+ else:
+ self.write("false")
+
+ def write_float(self, v):
+ self.write(json.dumps(str(v)))
+
+ @contextmanager
+ def write_property(self, iri, compact=None):
+ self._write_comma()
+ self.write_string(compact or iri)
+ self.write(":")
+ yield self
+ self.comma = True
+
+ @contextmanager
+ def write_object(self, o, _id, needs_id):
+ self._write_comma()
+
+ self.write("{")
+ self.write_string("type")
+ self.write(":")
+ self.write_string(o.COMPACT_TYPE or o.TYPE)
+ self.comma = True
+
+ if needs_id:
+ self._write_comma()
+ self.write_string(o.ID_ALIAS or "@id")
+ self.write(":")
+ self.write_string(_id)
+ self.comma = True
+
+ self.comma = True
+ yield self
+
+ self.write("}")
+ self.comma = True
+
+ @contextmanager
+ def write_list(self):
+ self._write_comma()
+ self.write("[")
+ yield self.__class__(self.f, self.sha1)
+ self.write("]")
+ self.comma = True
+
+ @contextmanager
+ def write_list_item(self):
+ self._write_comma()
+ yield self.__class__(self.f, self.sha1)
+ self.comma = True
+
+
+class JSONLDInlineSerializer(object):
+ def write(
+ self,
+ objectset: SHACLObjectSet,
+ f,
+ force_at_graph=False,
+ ):
+ """
+ Write a SHACLObjectSet to a JSON LD file
+
+ Note: force_at_graph is included for compatibility, but ignored. This
+ serializer always writes out a graph
+ """
+ sha1 = hashlib.sha1()
+ h = JSONLDInlineEncoder(f, sha1)
+ h.write('{"@context":')
+ if len(CONTEXT_URLS) == 1:
+ h.write(f'"{CONTEXT_URLS[0]}"')
+ elif CONTEXT_URLS:
+ h.write('["')
+ h.write('","'.join(CONTEXT_URLS))
+ h.write('"]')
+ h.write(",")
+
+ h.write('"@graph":')
+
+ objectset.encode(h, True)
+ h.write("}")
+ return sha1.hexdigest()
+
+
+def print_tree(objects, all_fields=False):
+ """
+ Print object tree
+ """
+ seen = set()
+
+ def callback(value, path):
+ nonlocal seen
+
+ s = (" " * (len(path) - 1)) + f"{path[-1]}"
+ if isinstance(value, SHACLObject):
+ s += f" {value} ({id(value)})"
+ is_empty = False
+ elif isinstance(value, ListProxy):
+ is_empty = len(value) == 0
+ if is_empty:
+ s += " []"
+ else:
+ s += f" {value!r}"
+ is_empty = value is None
+
+ if all_fields or not is_empty:
+ print(s)
+
+ if isinstance(value, SHACLObject):
+ if value in seen:
+ return False
+ seen.add(value)
+ return True
+
+ return True
+
+ for o in objects:
+ o.walk(callback)
+
+
+# fmt: off
+"""Format Guard"""
+
+
+CONTEXT_URLS = [
+ "https://spdx.github.io/spdx-spec/v3.0/model/spdx-context.jsonld",
+]
+
+
+# CLASSES
+# The class that contains properties to describe energy consumption incurred by an AI model in different stages of its lifecycle.
+@register("https://spdx.org/rdf/3.0.0/terms/AI/EnergyConsumption", "ai_EnergyConsumption")
+class ai_EnergyConsumption(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies the amount of energy consumed when finetuning the AI model that is being used in the AI system.
+ cls._add_property(
+ "ai_finetuningEnergyConsumption",
+ ListProp(ObjectProp(ai_EnergyConsumptionDescription, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/finetuningEnergyConsumption",
+ compact="ai_finetuningEnergyConsumption",
+ )
+ # Specifies the amount of energy consumed during inference time by an AI model that is being used in the AI system.
+ cls._add_property(
+ "ai_inferenceEnergyConsumption",
+ ListProp(ObjectProp(ai_EnergyConsumptionDescription, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/inferenceEnergyConsumption",
+ compact="ai_inferenceEnergyConsumption",
+ )
+ # Specifies the amount of energy consumed when training the AI model that is being used in the AI system.
+ cls._add_property(
+ "ai_trainingEnergyConsumption",
+ ListProp(ObjectProp(ai_EnergyConsumptionDescription, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/trainingEnergyConsumption",
+ compact="ai_trainingEnergyConsumption",
+ )
+
+
+# The class that helps note down the quantity of energy consumption and the unit
+# used for measurement.
+@register("https://spdx.org/rdf/3.0.0/terms/AI/EnergyConsumptionDescription", "ai_EnergyConsumptionDescription")
+class ai_EnergyConsumptionDescription(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Represents the energy quantity.
+ cls._add_property(
+ "ai_energyQuantity",
+ FloatProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/energyQuantity",
+ min_count=1,
+ compact="ai_energyQuantity",
+ )
+ # Specifies the unit in which energy is measured.
+ cls._add_property(
+ "ai_energyUnit",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/kilowattHour", "kilowattHour"),
+ ("https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/megajoule", "megajoule"),
+ ("https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/other", "other"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/energyUnit",
+ min_count=1,
+ compact="ai_energyUnit",
+ )
+
+
+# Specifies the unit of energy consumption.
+@register("https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType", "ai_EnergyUnitType")
+class ai_EnergyUnitType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "kilowattHour": "https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/kilowattHour",
+ "megajoule": "https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/megajoule",
+ "other": "https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/other",
+ }
+ # Kilowatt-hour.
+ kilowattHour = "https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/kilowattHour"
+ # Megajoule.
+ megajoule = "https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/megajoule"
+ # Any other units of energy measurement.
+ other = "https://spdx.org/rdf/3.0.0/terms/AI/EnergyUnitType/other"
+
+
+# Specifies the safety risk level.
+@register("https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType", "ai_SafetyRiskAssessmentType")
+class ai_SafetyRiskAssessmentType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "high": "https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/high",
+ "low": "https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/low",
+ "medium": "https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/medium",
+ "serious": "https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/serious",
+ }
+ # The second-highest level of risk posed by an AI system.
+ high = "https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/high"
+ # Low/no risk is posed by an AI system.
+ low = "https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/low"
+ # The third-highest level of risk posed by an AI system.
+ medium = "https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/medium"
+ # The highest level of risk posed by an AI system.
+ serious = "https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/serious"
+
+
+# Specifies the type of an annotation.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/AnnotationType", "AnnotationType")
+class AnnotationType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "other": "https://spdx.org/rdf/3.0.0/terms/Core/AnnotationType/other",
+ "review": "https://spdx.org/rdf/3.0.0/terms/Core/AnnotationType/review",
+ }
+ # Used to store extra information about an Element which is not part of a Review (e.g. extra information provided during the creation of the Element).
+ other = "https://spdx.org/rdf/3.0.0/terms/Core/AnnotationType/other"
+ # Used when someone reviews the Element.
+ review = "https://spdx.org/rdf/3.0.0/terms/Core/AnnotationType/review"
+
+
+# Provides information about the creation of the Element.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/CreationInfo", "CreationInfo")
+class CreationInfo(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provide consumers with comments by the creator of the Element about the Element.
+ cls._add_property(
+ "comment",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/comment",
+ compact="comment",
+ )
+ # Identifies when the Element was originally created.
+ cls._add_property(
+ "created",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/created",
+ min_count=1,
+ compact="created",
+ )
+ # Identifies who or what created the Element.
+ cls._add_property(
+ "createdBy",
+ ListProp(ObjectProp(Agent, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/createdBy",
+ min_count=1,
+ compact="createdBy",
+ )
+ # Identifies the tooling that was used during the creation of the Element.
+ cls._add_property(
+ "createdUsing",
+ ListProp(ObjectProp(Tool, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/createdUsing",
+ compact="createdUsing",
+ )
+ # Provides a reference number that can be used to understand how to parse and interpret an Element.
+ cls._add_property(
+ "specVersion",
+ StringProp(pattern=r"^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/specVersion",
+ min_count=1,
+ compact="specVersion",
+ )
+
+
+# A key with an associated value.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/DictionaryEntry", "DictionaryEntry")
+class DictionaryEntry(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # A key used in a generic key-value pair.
+ cls._add_property(
+ "key",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/key",
+ min_count=1,
+ compact="key",
+ )
+ # A value used in a generic key-value pair.
+ cls._add_property(
+ "value",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/value",
+ compact="value",
+ )
+
+
+# Base domain class from which all other SPDX-3.0 domain classes derive.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Element", "Element")
+class Element(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provide consumers with comments by the creator of the Element about the Element.
+ cls._add_property(
+ "comment",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/comment",
+ compact="comment",
+ )
+ # Provides information about the creation of the Element.
+ cls._add_property(
+ "creationInfo",
+ ObjectProp(CreationInfo, True),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/creationInfo",
+ min_count=1,
+ compact="creationInfo",
+ )
+ # Provides a detailed description of the Element.
+ cls._add_property(
+ "description",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/description",
+ compact="description",
+ )
+ # Specifies an Extension characterization of some aspect of an Element.
+ cls._add_property(
+ "extension",
+ ListProp(ObjectProp(extension_Extension, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/extension",
+ compact="extension",
+ )
+ # Provides a reference to a resource outside the scope of SPDX-3.0 content
+ # that uniquely identifies an Element.
+ cls._add_property(
+ "externalIdentifier",
+ ListProp(ObjectProp(ExternalIdentifier, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/externalIdentifier",
+ compact="externalIdentifier",
+ )
+ # Points to a resource outside the scope of the SPDX-3.0 content
+ # that provides additional characteristics of an Element.
+ cls._add_property(
+ "externalRef",
+ ListProp(ObjectProp(ExternalRef, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/externalRef",
+ compact="externalRef",
+ )
+ # Identifies the name of an Element as designated by the creator.
+ cls._add_property(
+ "name",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/name",
+ compact="name",
+ )
+ # A short description of an Element.
+ cls._add_property(
+ "summary",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/summary",
+ compact="summary",
+ )
+ # Provides an IntegrityMethod with which the integrity of an Element can be asserted.
+ cls._add_property(
+ "verifiedUsing",
+ ListProp(ObjectProp(IntegrityMethod, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/verifiedUsing",
+ compact="verifiedUsing",
+ )
+
+
+# A collection of Elements, not necessarily with unifying context.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/ElementCollection", "ElementCollection")
+class ElementCollection(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Refers to one or more Elements that are part of an ElementCollection.
+ cls._add_property(
+ "element",
+ ListProp(ObjectProp(Element, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/element",
+ compact="element",
+ )
+ # Describes one a profile which the creator of this ElementCollection intends to conform to.
+ cls._add_property(
+ "profileConformance",
+ ListProp(EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/ai", "ai"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/build", "build"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/core", "core"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/dataset", "dataset"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/expandedLicensing", "expandedLicensing"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/extension", "extension"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/security", "security"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/simpleLicensing", "simpleLicensing"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/software", "software"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/usage", "usage"),
+ ])),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/profileConformance",
+ compact="profileConformance",
+ )
+ # This property is used to denote the root Element(s) of a tree of elements contained in an SBOM.
+ cls._add_property(
+ "rootElement",
+ ListProp(ObjectProp(Element, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/rootElement",
+ compact="rootElement",
+ )
+
+
+# A reference to a resource identifier defined outside the scope of SPDX-3.0 content that uniquely identifies an Element.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifier", "ExternalIdentifier")
+class ExternalIdentifier(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provide consumers with comments by the creator of the Element about the Element.
+ cls._add_property(
+ "comment",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/comment",
+ compact="comment",
+ )
+ # Specifies the type of the external identifier.
+ cls._add_property(
+ "externalIdentifierType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cpe22", "cpe22"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cpe23", "cpe23"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cve", "cve"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/email", "email"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/gitoid", "gitoid"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/packageUrl", "packageUrl"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/securityOther", "securityOther"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/swhid", "swhid"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/swid", "swid"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/urlScheme", "urlScheme"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/externalIdentifierType",
+ min_count=1,
+ compact="externalIdentifierType",
+ )
+ # Uniquely identifies an external element.
+ cls._add_property(
+ "identifier",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/identifier",
+ min_count=1,
+ compact="identifier",
+ )
+ # Provides the location for more information regarding an external identifier.
+ cls._add_property(
+ "identifierLocator",
+ ListProp(AnyURIProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/identifierLocator",
+ compact="identifierLocator",
+ )
+ # An entity that is authorized to issue identification credentials.
+ cls._add_property(
+ "issuingAuthority",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/issuingAuthority",
+ compact="issuingAuthority",
+ )
+
+
+# Specifies the type of an external identifier.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType", "ExternalIdentifierType")
+class ExternalIdentifierType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "cpe22": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cpe22",
+ "cpe23": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cpe23",
+ "cve": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cve",
+ "email": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/email",
+ "gitoid": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/gitoid",
+ "other": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/other",
+ "packageUrl": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/packageUrl",
+ "securityOther": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/securityOther",
+ "swhid": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/swhid",
+ "swid": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/swid",
+ "urlScheme": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/urlScheme",
+ }
+ # https://cpe.mitre.org/files/cpe-specification_2.2.pdf
+ cpe22 = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cpe22"
+ # https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
+ cpe23 = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cpe23"
+ # An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification as defined by https://csrc.nist.gov/glossary/term/cve_id.
+ cve = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/cve"
+ # https://datatracker.ietf.org/doc/html/rfc3696#section-3
+ email = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/email"
+ # https://www.iana.org/assignments/uri-schemes/prov/gitoid Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document); this ambiguity exists because the OmniBOR Document is itself an artifact, and the gitoid of that artifact is its valid identifier. Omnibor is a minimalistic schema to describe software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-dependency-graph-adg). Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's ContentIdentifier property. Gitoids calculated on the OmniBOR Document (OmniBOR Identifiers) should be recorded in the SPDX 3.0 Element's ExternalIdentifier property.
+ gitoid = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/gitoid"
+ # Used when the type doesn't match any of the other options.
+ other = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/other"
+ # https://github.com/package-url/purl-spec
+ packageUrl = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/packageUrl"
+ # Used when there is a security related identifier of unspecified type.
+ securityOther = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/securityOther"
+ # SoftWare Hash IDentifier, persistent intrinsic identifiers for digital artifacts, such as files, trees (also known as directories or folders), commits, and other objects typically found in version control systems. The syntax of the identifiers is defined in the [SWHID specification](https://www.swhid.org/specification/v1.1/4.Syntax) and they typically look like `swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2`.
+ swhid = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/swhid"
+ # https://www.ietf.org/archive/id/draft-ietf-sacm-coswid-21.html#section-2.3
+ swid = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/swid"
+ # the scheme used in order to locate a resource https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
+ urlScheme = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalIdentifierType/urlScheme"
+
+
+# A map of Element identifiers that are used within a Document but defined external to that Document.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/ExternalMap", "ExternalMap")
+class ExternalMap(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Artifact representing a serialization instance of SPDX data containing the definition of a particular Element.
+ cls._add_property(
+ "definingArtifact",
+ ObjectProp(Artifact, False),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/definingArtifact",
+ compact="definingArtifact",
+ )
+ # Identifies an external Element used within a Document but defined external to that Document.
+ cls._add_property(
+ "externalSpdxId",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/externalSpdxId",
+ min_count=1,
+ compact="externalSpdxId",
+ )
+ # Provides an indication of where to retrieve an external Element.
+ cls._add_property(
+ "locationHint",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/locationHint",
+ compact="locationHint",
+ )
+ # Provides an IntegrityMethod with which the integrity of an Element can be asserted.
+ cls._add_property(
+ "verifiedUsing",
+ ListProp(ObjectProp(IntegrityMethod, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/verifiedUsing",
+ compact="verifiedUsing",
+ )
+
+
+# A reference to a resource outside the scope of SPDX-3.0 content related to an Element.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRef", "ExternalRef")
+class ExternalRef(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provide consumers with comments by the creator of the Element about the Element.
+ cls._add_property(
+ "comment",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/comment",
+ compact="comment",
+ )
+ # Specifies the media type of an Element or Property.
+ cls._add_property(
+ "contentType",
+ StringProp(pattern=r"^[^\/]+\/[^\/]+$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/contentType",
+ compact="contentType",
+ )
+ # Specifies the type of the external reference.
+ cls._add_property(
+ "externalRefType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/altDownloadLocation", "altDownloadLocation"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/altWebPage", "altWebPage"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/binaryArtifact", "binaryArtifact"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/bower", "bower"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/buildMeta", "buildMeta"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/buildSystem", "buildSystem"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/certificationReport", "certificationReport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/chat", "chat"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/componentAnalysisReport", "componentAnalysisReport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/cwe", "cwe"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/documentation", "documentation"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/dynamicAnalysisReport", "dynamicAnalysisReport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/eolNotice", "eolNotice"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/exportControlAssessment", "exportControlAssessment"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/funding", "funding"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/issueTracker", "issueTracker"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/license", "license"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/mailingList", "mailingList"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/mavenCentral", "mavenCentral"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/metrics", "metrics"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/npm", "npm"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/nuget", "nuget"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/privacyAssessment", "privacyAssessment"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/productMetadata", "productMetadata"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/purchaseOrder", "purchaseOrder"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/qualityAssessmentReport", "qualityAssessmentReport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/releaseHistory", "releaseHistory"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/releaseNotes", "releaseNotes"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/riskAssessment", "riskAssessment"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/runtimeAnalysisReport", "runtimeAnalysisReport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/secureSoftwareAttestation", "secureSoftwareAttestation"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityAdversaryModel", "securityAdversaryModel"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityAdvisory", "securityAdvisory"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityFix", "securityFix"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityOther", "securityOther"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityPenTestReport", "securityPenTestReport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityPolicy", "securityPolicy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityThreatModel", "securityThreatModel"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/socialMedia", "socialMedia"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/sourceArtifact", "sourceArtifact"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/staticAnalysisReport", "staticAnalysisReport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/support", "support"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vcs", "vcs"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vulnerabilityDisclosureReport", "vulnerabilityDisclosureReport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vulnerabilityExploitabilityAssessment", "vulnerabilityExploitabilityAssessment"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/externalRefType",
+ compact="externalRefType",
+ )
+ # Provides the location of an external reference.
+ cls._add_property(
+ "locator",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/locator",
+ compact="locator",
+ )
+
+
+# Specifies the type of an external reference.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType", "ExternalRefType")
+class ExternalRefType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "altDownloadLocation": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/altDownloadLocation",
+ "altWebPage": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/altWebPage",
+ "binaryArtifact": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/binaryArtifact",
+ "bower": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/bower",
+ "buildMeta": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/buildMeta",
+ "buildSystem": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/buildSystem",
+ "certificationReport": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/certificationReport",
+ "chat": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/chat",
+ "componentAnalysisReport": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/componentAnalysisReport",
+ "cwe": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/cwe",
+ "documentation": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/documentation",
+ "dynamicAnalysisReport": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/dynamicAnalysisReport",
+ "eolNotice": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/eolNotice",
+ "exportControlAssessment": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/exportControlAssessment",
+ "funding": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/funding",
+ "issueTracker": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/issueTracker",
+ "license": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/license",
+ "mailingList": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/mailingList",
+ "mavenCentral": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/mavenCentral",
+ "metrics": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/metrics",
+ "npm": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/npm",
+ "nuget": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/nuget",
+ "other": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/other",
+ "privacyAssessment": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/privacyAssessment",
+ "productMetadata": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/productMetadata",
+ "purchaseOrder": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/purchaseOrder",
+ "qualityAssessmentReport": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/qualityAssessmentReport",
+ "releaseHistory": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/releaseHistory",
+ "releaseNotes": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/releaseNotes",
+ "riskAssessment": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/riskAssessment",
+ "runtimeAnalysisReport": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/runtimeAnalysisReport",
+ "secureSoftwareAttestation": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/secureSoftwareAttestation",
+ "securityAdversaryModel": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityAdversaryModel",
+ "securityAdvisory": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityAdvisory",
+ "securityFix": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityFix",
+ "securityOther": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityOther",
+ "securityPenTestReport": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityPenTestReport",
+ "securityPolicy": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityPolicy",
+ "securityThreatModel": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityThreatModel",
+ "socialMedia": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/socialMedia",
+ "sourceArtifact": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/sourceArtifact",
+ "staticAnalysisReport": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/staticAnalysisReport",
+ "support": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/support",
+ "vcs": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vcs",
+ "vulnerabilityDisclosureReport": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vulnerabilityDisclosureReport",
+ "vulnerabilityExploitabilityAssessment": "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vulnerabilityExploitabilityAssessment",
+ }
+ # A reference to an alternative download location.
+ altDownloadLocation = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/altDownloadLocation"
+ # A reference to an alternative web page.
+ altWebPage = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/altWebPage"
+ # A reference to binary artifacts related to a package.
+ binaryArtifact = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/binaryArtifact"
+ # A reference to a bower package.
+ bower = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/bower"
+ # A reference build metadata related to a published package.
+ buildMeta = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/buildMeta"
+ # A reference build system used to create or publish the package.
+ buildSystem = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/buildSystem"
+ # A reference to a certification report for a package from an accredited/independent body.
+ certificationReport = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/certificationReport"
+ # A reference to the instant messaging system used by the maintainer for a package.
+ chat = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/chat"
+ # A reference to a Software Composition Analysis (SCA) report.
+ componentAnalysisReport = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/componentAnalysisReport"
+ # A reference to a source of software flaw defined within the official CWE Dictionary that conforms to the CWE specification as defined by https://csrc.nist.gov/glossary/term/common_weakness_enumeration.
+ cwe = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/cwe"
+ # A reference to the documentation for a package.
+ documentation = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/documentation"
+ # A reference to a dynamic analysis report for a package.
+ dynamicAnalysisReport = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/dynamicAnalysisReport"
+ # A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package.
+ eolNotice = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/eolNotice"
+ # A reference to a export control assessment for a package.
+ exportControlAssessment = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/exportControlAssessment"
+ # A reference to funding information related to a package.
+ funding = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/funding"
+ # A reference to the issue tracker for a package.
+ issueTracker = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/issueTracker"
+ # A reference to additional license information related to an artifact.
+ license = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/license"
+ # A reference to the mailing list used by the maintainer for a package.
+ mailingList = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/mailingList"
+ # A reference to a maven repository artifact.
+ mavenCentral = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/mavenCentral"
+ # A reference to metrics related to package such as OpenSSF scorecards.
+ metrics = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/metrics"
+ # A reference to an npm package.
+ npm = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/npm"
+ # A reference to a nuget package.
+ nuget = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/nuget"
+ # Used when the type doesn't match any of the other options.
+ other = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/other"
+ # A reference to a privacy assessment for a package.
+ privacyAssessment = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/privacyAssessment"
+ # A reference to additional product metadata such as reference within organization's product catalog.
+ productMetadata = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/productMetadata"
+ # A reference to a purchase order for a package.
+ purchaseOrder = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/purchaseOrder"
+ # A reference to a quality assessment for a package.
+ qualityAssessmentReport = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/qualityAssessmentReport"
+ # A reference to a published list of releases for a package.
+ releaseHistory = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/releaseHistory"
+ # A reference to the release notes for a package.
+ releaseNotes = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/releaseNotes"
+ # A reference to a risk assessment for a package.
+ riskAssessment = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/riskAssessment"
+ # A reference to a runtime analysis report for a package.
+ runtimeAnalysisReport = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/runtimeAnalysisReport"
+ # A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF) Version 1.1](https://csrc.nist.gov/pubs/sp/800/218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form).
+ secureSoftwareAttestation = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/secureSoftwareAttestation"
+ # A reference to the security adversary model for a package.
+ securityAdversaryModel = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityAdversaryModel"
+ # A reference to a published security advisory (where advisory as defined per ISO 29147:2018) that may affect one or more elements, e.g., vendor advisories or specific NVD entries.
+ securityAdvisory = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityAdvisory"
+ # A reference to the patch or source code that fixes a vulnerability.
+ securityFix = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityFix"
+ # A reference to related security information of unspecified type.
+ securityOther = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityOther"
+ # A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package.
+ securityPenTestReport = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityPenTestReport"
+ # A reference to instructions for reporting newly discovered security vulnerabilities for a package.
+ securityPolicy = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityPolicy"
+ # A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package.
+ securityThreatModel = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/securityThreatModel"
+ # A reference to a social media channel for a package.
+ socialMedia = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/socialMedia"
+ # A reference to an artifact containing the sources for a package.
+ sourceArtifact = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/sourceArtifact"
+ # A reference to a static analysis report for a package.
+ staticAnalysisReport = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/staticAnalysisReport"
+ # A reference to the software support channel or other support information for a package.
+ support = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/support"
+ # A reference to a version control system related to a software artifact.
+ vcs = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vcs"
+ # A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161](https://csrc.nist.gov/pubs/sp/800/161/r1/final).
+ vulnerabilityDisclosureReport = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vulnerabilityDisclosureReport"
+ # A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page summary](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf).
+ vulnerabilityExploitabilityAssessment = "https://spdx.org/rdf/3.0.0/terms/Core/ExternalRefType/vulnerabilityExploitabilityAssessment"
+
+
+# A mathematical algorithm that maps data of arbitrary size to a bit string.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm", "HashAlgorithm")
+class HashAlgorithm(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "blake2b256": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b256",
+ "blake2b384": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b384",
+ "blake2b512": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b512",
+ "blake3": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake3",
+ "crystalsDilithium": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/crystalsDilithium",
+ "crystalsKyber": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/crystalsKyber",
+ "falcon": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/falcon",
+ "md2": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md2",
+ "md4": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md4",
+ "md5": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md5",
+ "md6": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md6",
+ "other": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/other",
+ "sha1": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha1",
+ "sha224": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha224",
+ "sha256": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha256",
+ "sha384": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha384",
+ "sha3_224": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_224",
+ "sha3_256": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_256",
+ "sha3_384": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_384",
+ "sha3_512": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_512",
+ "sha512": "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha512",
+ }
+ # blake2b algorithm with a digest size of 256 https://datatracker.ietf.org/doc/html/rfc7693#section-4
+ blake2b256 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b256"
+ # blake2b algorithm with a digest size of 384 https://datatracker.ietf.org/doc/html/rfc7693#section-4
+ blake2b384 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b384"
+ # blake2b algorithm with a digest size of 512 https://datatracker.ietf.org/doc/html/rfc7693#section-4
+ blake2b512 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b512"
+ # https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf
+ blake3 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake3"
+ # https://pq-crystals.org/dilithium/index.shtml
+ crystalsDilithium = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/crystalsDilithium"
+ # https://pq-crystals.org/kyber/index.shtml
+ crystalsKyber = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/crystalsKyber"
+ # https://falcon-sign.info/falcon.pdf
+ falcon = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/falcon"
+ # https://datatracker.ietf.org/doc/rfc1319/
+ md2 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md2"
+ # https://datatracker.ietf.org/doc/html/rfc1186
+ md4 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md4"
+ # https://datatracker.ietf.org/doc/html/rfc1321
+ md5 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md5"
+ # https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf
+ md6 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md6"
+ # any hashing algorithm that does not exist in this list of entries
+ other = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/other"
+ # https://datatracker.ietf.org/doc/html/rfc3174
+ sha1 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha1"
+ # secure hashing algorithm with a digest length of 224 https://datatracker.ietf.org/doc/html/draft-ietf-pkix-sha224-01
+ sha224 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha224"
+ # secure hashing algorithm with a digest length of 256 https://www.rfc-editor.org/rfc/rfc4634
+ sha256 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha256"
+ # secure hashing algorithm with a digest length of 384 https://www.rfc-editor.org/rfc/rfc4634
+ sha384 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha384"
+ # sha3 with a digest length of 224 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
+ sha3_224 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_224"
+ # sha3 with a digest length of 256 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
+ sha3_256 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_256"
+ # sha3 with a digest length of 384 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
+ sha3_384 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_384"
+ # sha3 with a digest length of 512 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
+ sha3_512 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_512"
+ # secure hashing algorithm with a digest length of 512 https://www.rfc-editor.org/rfc/rfc4634
+ sha512 = "https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha512"
+
+
+# Provides an independently reproducible mechanism that permits verification of a specific Element.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/IntegrityMethod", "IntegrityMethod")
+class IntegrityMethod(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provide consumers with comments by the creator of the Element about the Element.
+ cls._add_property(
+ "comment",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/comment",
+ compact="comment",
+ )
+
+
+# Provide an enumerated set of lifecycle phases that can provide context to relationships.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType", "LifecycleScopeType")
+class LifecycleScopeType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "build": "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/build",
+ "design": "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/design",
+ "development": "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/development",
+ "other": "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/other",
+ "runtime": "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/runtime",
+ "test": "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/test",
+ }
+ # A relationship has specific context implications during an element's build phase, during development.
+ build = "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/build"
+ # A relationship has specific context implications during an element's design.
+ design = "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/design"
+ # A relationship has specific context implications during development phase of an element.
+ development = "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/development"
+ # A relationship has other specific context information necessary to capture that the above set of enumerations does not handle.
+ other = "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/other"
+ # A relationship has specific context implications during the execution phase of an element.
+ runtime = "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/runtime"
+ # A relationship has specific context implications during an element's testing phase, during development.
+ test = "https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/test"
+
+
+# A mapping between prefixes and namespace partial URIs.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/NamespaceMap", "NamespaceMap")
+class NamespaceMap(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides an unambiguous mechanism for conveying a URI fragment portion of an ElementID.
+ cls._add_property(
+ "namespace",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/namespace",
+ min_count=1,
+ compact="namespace",
+ )
+ # A substitute for a URI.
+ cls._add_property(
+ "prefix",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/prefix",
+ min_count=1,
+ compact="prefix",
+ )
+
+
+# An SPDX version 2.X compatible verification method for software packages.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/PackageVerificationCode", "PackageVerificationCode")
+class PackageVerificationCode(IntegrityMethod):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies the algorithm used for calculating the hash value.
+ cls._add_property(
+ "algorithm",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b256", "blake2b256"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b384", "blake2b384"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b512", "blake2b512"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake3", "blake3"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/crystalsDilithium", "crystalsDilithium"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/crystalsKyber", "crystalsKyber"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/falcon", "falcon"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md2", "md2"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md4", "md4"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md5", "md5"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md6", "md6"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha1", "sha1"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha224", "sha224"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha256", "sha256"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha384", "sha384"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_224", "sha3_224"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_256", "sha3_256"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_384", "sha3_384"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_512", "sha3_512"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha512", "sha512"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/algorithm",
+ min_count=1,
+ compact="algorithm",
+ )
+ # The result of applying a hash algorithm to an Element.
+ cls._add_property(
+ "hashValue",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/hashValue",
+ min_count=1,
+ compact="hashValue",
+ )
+ # The relative file name of a file to be excluded from the `PackageVerificationCode`.
+ cls._add_property(
+ "packageVerificationCodeExcludedFile",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/packageVerificationCodeExcludedFile",
+ compact="packageVerificationCodeExcludedFile",
+ )
+
+
+# A tuple of two positive integers that define a range.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/PositiveIntegerRange", "PositiveIntegerRange")
+class PositiveIntegerRange(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Defines the beginning of a range.
+ cls._add_property(
+ "beginIntegerRange",
+ PositiveIntegerProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/beginIntegerRange",
+ min_count=1,
+ compact="beginIntegerRange",
+ )
+ # Defines the end of a range.
+ cls._add_property(
+ "endIntegerRange",
+ PositiveIntegerProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/endIntegerRange",
+ min_count=1,
+ compact="endIntegerRange",
+ )
+
+
+# Categories of presence or absence.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType", "PresenceType")
+class PresenceType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "no": "https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/no",
+ "noAssertion": "https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/noAssertion",
+ "yes": "https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/yes",
+ }
+ # Indicates absence of the field.
+ no = "https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/no"
+ # Makes no assertion about the field.
+ noAssertion = "https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/noAssertion"
+ # Indicates presence of the field.
+ yes = "https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/yes"
+
+
+# Enumeration of the valid profiles.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType", "ProfileIdentifierType")
+class ProfileIdentifierType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "ai": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/ai",
+ "build": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/build",
+ "core": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/core",
+ "dataset": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/dataset",
+ "expandedLicensing": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/expandedLicensing",
+ "extension": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/extension",
+ "security": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/security",
+ "simpleLicensing": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/simpleLicensing",
+ "software": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/software",
+ "usage": "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/usage",
+ }
+ # the element follows the AI profile specification
+ ai = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/ai"
+ # the element follows the Build profile specification
+ build = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/build"
+ # the element follows the Core profile specification
+ core = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/core"
+ # the element follows the Dataset profile specification
+ dataset = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/dataset"
+ # the element follows the expanded Licensing profile specification
+ expandedLicensing = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/expandedLicensing"
+ # the element follows the Extension profile specification
+ extension = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/extension"
+ # the element follows the Security profile specification
+ security = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/security"
+ # the element follows the simple Licensing profile specification
+ simpleLicensing = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/simpleLicensing"
+ # the element follows the Software profile specification
+ software = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/software"
+ # the element follows the Usage profile specification
+ usage = "https://spdx.org/rdf/3.0.0/terms/Core/ProfileIdentifierType/usage"
+
+
+# Describes a relationship between one or more elements.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Relationship", "Relationship")
+class Relationship(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides information about the completeness of relationships.
+ cls._add_property(
+ "completeness",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/complete", "complete"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/incomplete", "incomplete"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/noAssertion", "noAssertion"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/completeness",
+ compact="completeness",
+ )
+ # Specifies the time from which an element is no longer applicable / valid.
+ cls._add_property(
+ "endTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/endTime",
+ compact="endTime",
+ )
+ # References the Element on the left-hand side of a relationship.
+ cls._add_property(
+ "from_",
+ ObjectProp(Element, True),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/from",
+ min_count=1,
+ compact="from",
+ )
+ # Information about the relationship between two Elements.
+ cls._add_property(
+ "relationshipType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/affects", "affects"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/amendedBy", "amendedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/ancestorOf", "ancestorOf"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/availableFrom", "availableFrom"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/configures", "configures"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/contains", "contains"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/coordinatedBy", "coordinatedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/copiedTo", "copiedTo"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/delegatedTo", "delegatedTo"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/dependsOn", "dependsOn"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/descendantOf", "descendantOf"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/describes", "describes"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/doesNotAffect", "doesNotAffect"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/expandsTo", "expandsTo"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/exploitCreatedBy", "exploitCreatedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/fixedBy", "fixedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/fixedIn", "fixedIn"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/foundBy", "foundBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/generates", "generates"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAddedFile", "hasAddedFile"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAssessmentFor", "hasAssessmentFor"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAssociatedVulnerability", "hasAssociatedVulnerability"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasConcludedLicense", "hasConcludedLicense"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDataFile", "hasDataFile"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDeclaredLicense", "hasDeclaredLicense"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDeletedFile", "hasDeletedFile"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDependencyManifest", "hasDependencyManifest"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDistributionArtifact", "hasDistributionArtifact"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDocumentation", "hasDocumentation"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDynamicLink", "hasDynamicLink"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasEvidence", "hasEvidence"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasExample", "hasExample"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasHost", "hasHost"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasInputs", "hasInputs"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasMetadata", "hasMetadata"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOptionalComponent", "hasOptionalComponent"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOptionalDependency", "hasOptionalDependency"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOutputs", "hasOutputs"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasPrerequsite", "hasPrerequsite"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasProvidedDependency", "hasProvidedDependency"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasRequirement", "hasRequirement"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasSpecification", "hasSpecification"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasStaticLink", "hasStaticLink"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasTest", "hasTest"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasTestCase", "hasTestCase"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasVariant", "hasVariant"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/invokedBy", "invokedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/modifiedBy", "modifiedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/packagedBy", "packagedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/patchedBy", "patchedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/publishedBy", "publishedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/reportedBy", "reportedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/republishedBy", "republishedBy"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/serializedInArtifact", "serializedInArtifact"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/testedOn", "testedOn"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/trainedOn", "trainedOn"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/underInvestigationFor", "underInvestigationFor"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/usesTool", "usesTool"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/relationshipType",
+ min_count=1,
+ compact="relationshipType",
+ )
+ # Specifies the time from which an element is applicable / valid.
+ cls._add_property(
+ "startTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/startTime",
+ compact="startTime",
+ )
+ # References an Element on the right-hand side of a relationship.
+ cls._add_property(
+ "to",
+ ListProp(ObjectProp(Element, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/to",
+ min_count=1,
+ compact="to",
+ )
+
+
+# Indicates whether a relationship is known to be complete, incomplete, or if no assertion is made with respect to relationship completeness.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness", "RelationshipCompleteness")
+class RelationshipCompleteness(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "complete": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/complete",
+ "incomplete": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/incomplete",
+ "noAssertion": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/noAssertion",
+ }
+ # The relationship is known to be exhaustive.
+ complete = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/complete"
+ # The relationship is known not to be exhaustive.
+ incomplete = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/incomplete"
+ # No assertion can be made about the completeness of the relationship.
+ noAssertion = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipCompleteness/noAssertion"
+
+
+# Information about the relationship between two Elements.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType", "RelationshipType")
+class RelationshipType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "affects": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/affects",
+ "amendedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/amendedBy",
+ "ancestorOf": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/ancestorOf",
+ "availableFrom": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/availableFrom",
+ "configures": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/configures",
+ "contains": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/contains",
+ "coordinatedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/coordinatedBy",
+ "copiedTo": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/copiedTo",
+ "delegatedTo": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/delegatedTo",
+ "dependsOn": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/dependsOn",
+ "descendantOf": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/descendantOf",
+ "describes": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/describes",
+ "doesNotAffect": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/doesNotAffect",
+ "expandsTo": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/expandsTo",
+ "exploitCreatedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/exploitCreatedBy",
+ "fixedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/fixedBy",
+ "fixedIn": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/fixedIn",
+ "foundBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/foundBy",
+ "generates": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/generates",
+ "hasAddedFile": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAddedFile",
+ "hasAssessmentFor": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAssessmentFor",
+ "hasAssociatedVulnerability": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAssociatedVulnerability",
+ "hasConcludedLicense": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasConcludedLicense",
+ "hasDataFile": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDataFile",
+ "hasDeclaredLicense": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDeclaredLicense",
+ "hasDeletedFile": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDeletedFile",
+ "hasDependencyManifest": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDependencyManifest",
+ "hasDistributionArtifact": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDistributionArtifact",
+ "hasDocumentation": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDocumentation",
+ "hasDynamicLink": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDynamicLink",
+ "hasEvidence": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasEvidence",
+ "hasExample": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasExample",
+ "hasHost": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasHost",
+ "hasInputs": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasInputs",
+ "hasMetadata": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasMetadata",
+ "hasOptionalComponent": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOptionalComponent",
+ "hasOptionalDependency": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOptionalDependency",
+ "hasOutputs": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOutputs",
+ "hasPrerequsite": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasPrerequsite",
+ "hasProvidedDependency": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasProvidedDependency",
+ "hasRequirement": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasRequirement",
+ "hasSpecification": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasSpecification",
+ "hasStaticLink": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasStaticLink",
+ "hasTest": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasTest",
+ "hasTestCase": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasTestCase",
+ "hasVariant": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasVariant",
+ "invokedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/invokedBy",
+ "modifiedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/modifiedBy",
+ "other": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/other",
+ "packagedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/packagedBy",
+ "patchedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/patchedBy",
+ "publishedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/publishedBy",
+ "reportedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/reportedBy",
+ "republishedBy": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/republishedBy",
+ "serializedInArtifact": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/serializedInArtifact",
+ "testedOn": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/testedOn",
+ "trainedOn": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/trainedOn",
+ "underInvestigationFor": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/underInvestigationFor",
+ "usesTool": "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/usesTool",
+ }
+ # (Security/VEX) The `from` vulnerability affect each `to` Element
+ affects = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/affects"
+ # The `from` Element is amended by each `to` Element
+ amendedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/amendedBy"
+ # The `from` Element is an ancestor of each `to` Element
+ ancestorOf = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/ancestorOf"
+ # The `from` Element is available from the additional supplier described by each `to` Element
+ availableFrom = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/availableFrom"
+ # The `from` Element is a configuration applied to each `to` Element during a LifecycleScopeType period
+ configures = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/configures"
+ # The `from` Element contains each `to` Element
+ contains = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/contains"
+ # (Security) The `from` Vulnerability is coordinatedBy the `to` Agent(s) (vendor, researcher, or consumer agent)
+ coordinatedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/coordinatedBy"
+ # The `from` Element has been copied to each `to` Element
+ copiedTo = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/copiedTo"
+ # The `from` Agent is delegating an action to the Agent of the `to` Relationship (which must be of type invokedBy) during a LifecycleScopeType. (e.g. the `to` invokedBy Relationship is being done on behalf of `from`)
+ delegatedTo = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/delegatedTo"
+ # The `from` Element depends on each `to` Element during a LifecycleScopeType period.
+ dependsOn = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/dependsOn"
+ # The `from` Element is a descendant of each `to` Element
+ descendantOf = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/descendantOf"
+ # The `from` Element describes each `to` Element. To denote the root(s) of a tree of elements in a collection, the rootElement property should be used.
+ describes = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/describes"
+ # (Security/VEX) The `from` Vulnerability has no impact on each `to` Element
+ doesNotAffect = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/doesNotAffect"
+ # The `from` archive expands out as an artifact described by each `to` Element
+ expandsTo = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/expandsTo"
+ # (Security) The `from` Vulnerability has had an exploit created against it by each `to` Agent
+ exploitCreatedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/exploitCreatedBy"
+ # (Security) Designates a `from` Vulnerability has been fixed by the `to` Agent(s)
+ fixedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/fixedBy"
+ # (Security/VEX) A `from` Vulnerability has been fixed in each of the `to` Element(s)
+ fixedIn = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/fixedIn"
+ # (Security) Designates a `from` Vulnerability was originally discovered by the `to` Agent(s)
+ foundBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/foundBy"
+ # The `from` Element generates each `to` Element
+ generates = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/generates"
+ # Every `to` Element is is a file added to the `from` Element (`from` hasAddedFile `to`)
+ hasAddedFile = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAddedFile"
+ # (Security) Relates a `from` Vulnerability and each `to` Element(s) with a security assessment. To be used with `VulnAssessmentRelationship` types
+ hasAssessmentFor = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAssessmentFor"
+ # (Security) Used to associate a `from` Artifact with each `to` Vulnerability
+ hasAssociatedVulnerability = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasAssociatedVulnerability"
+ # The `from` Software Artifact is concluded by the SPDX data creator to be governed by each `to` license
+ hasConcludedLicense = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasConcludedLicense"
+ # The `from` Element treats each `to` Element as a data file
+ hasDataFile = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDataFile"
+ # The `from` Software Artifact was discovered to actually contain each `to` license, for example as detected by use of automated tooling.
+ hasDeclaredLicense = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDeclaredLicense"
+ # Every `to` Element is a file deleted from the `from` Element (`from` hasDeletedFile `to`)
+ hasDeletedFile = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDeletedFile"
+ # The `from` Element has manifest files that contain dependency information in each `to` Element
+ hasDependencyManifest = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDependencyManifest"
+ # The `from` Element is distributed as an artifact in each Element `to`, (e.g. an RPM or archive file)
+ hasDistributionArtifact = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDistributionArtifact"
+ # The `from` Element is documented by each `to` Element
+ hasDocumentation = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDocumentation"
+ # The `from` Element dynamically links in each `to` Element, during a LifecycleScopeType period.
+ hasDynamicLink = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasDynamicLink"
+ # (Dataset) Every `to` Element is considered as evidence for the `from` Element (`from` hasEvidence `to`)
+ hasEvidence = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasEvidence"
+ # Every `to` Element is an example for the `from` Element (`from` hasExample `to`)
+ hasExample = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasExample"
+ # The `from` Build was run on the `to` Element during a LifecycleScopeType period (e.g. The host that the build runs on)
+ hasHost = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasHost"
+ # The `from` Build has each `to` Elements as an input during a LifecycleScopeType period.
+ hasInputs = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasInputs"
+ # Every `to` Element is metadata about the `from` Element (`from` hasMetadata `to`)
+ hasMetadata = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasMetadata"
+ # Every `to` Element is an optional component of the `from` Element (`from` hasOptionalComponent` `to`)
+ hasOptionalComponent = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOptionalComponent"
+ # The `from` Element optionally depends on each `to` Element during a LifecycleScopeType period
+ hasOptionalDependency = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOptionalDependency"
+ # The `from` Build element generates each `to` Element as an output during a LifecycleScopeType period.
+ hasOutputs = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasOutputs"
+ # The `from` Element has a prerequsite on each `to` Element, during a LifecycleScopeType period
+ hasPrerequsite = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasPrerequsite"
+ # The `from` Element has a dependency on each `to` Element, but dependency is not in the distributed artifact, but assumed to be provided, during a LifecycleScopeType period
+ hasProvidedDependency = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasProvidedDependency"
+ # The `from` Element has a requirement on each `to` Element, during a LifecycleScopeType period
+ hasRequirement = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasRequirement"
+ # Every `to` Element is a specification for the `from` Element (`from` hasSpecification `to`), during a LifecycleScopeType period
+ hasSpecification = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasSpecification"
+ # The `from` Element statically links in each `to` Element, during a LifecycleScopeType period
+ hasStaticLink = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasStaticLink"
+ # Every `to` Element is a test artifact for the `from` Element (`from` hasTest `to`), during a LifecycleScopeType period
+ hasTest = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasTest"
+ # Every `to` Element is a test case for the `from` Element (`from` hasTestCase `to`)
+ hasTestCase = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasTestCase"
+ # Every `to` Element is a variant the `from` Element (`from` hasVariant `to`)
+ hasVariant = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/hasVariant"
+ # The `from` Element was invoked by the `to` Agent during a LifecycleScopeType period (for example, a Build element that describes a build step)
+ invokedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/invokedBy"
+ # The `from` Element is modified by each `to` Element
+ modifiedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/modifiedBy"
+ # Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX relationhip types (this relationship is directionless)
+ other = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/other"
+ # Every `to` Element is a packaged instance of the `from` Element (`from` packagedBy `to`)
+ packagedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/packagedBy"
+ # Every `to` Element is a patch for the `from` Element (`from` patchedBy `to`)
+ patchedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/patchedBy"
+ # (Security) Designates a `from` Vulnerability was made available for public use or reference by each `to` Agent
+ publishedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/publishedBy"
+ # (Security) Designates a `from` Vulnerability was first reported to a project, vendor, or tracking database for formal identification by each `to` Agent
+ reportedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/reportedBy"
+ # (Security) Designates a `from` Vulnerability's details were tracked, aggregated, and/or enriched to improve context (i.e. NVD) by a `to` Agent(s)
+ republishedBy = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/republishedBy"
+ # The `from` SPDXDocument can be found in a serialized form in each `to` Artifact
+ serializedInArtifact = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/serializedInArtifact"
+ # (AI, Dataset) The `from` Element has been tested on the `to` Element
+ testedOn = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/testedOn"
+ # (AI, Dataset) The `from` Element has been trained by the `to` Element(s)
+ trainedOn = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/trainedOn"
+ # (Security/VEX) The `from` Vulnerability impact is being investigated for each `to` Element
+ underInvestigationFor = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/underInvestigationFor"
+ # The `from` Element uses each `to` Element as a tool during a LifecycleScopeType period.
+ usesTool = "https://spdx.org/rdf/3.0.0/terms/Core/RelationshipType/usesTool"
+
+
+# A collection of SPDX Elements that could potentially be serialized.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/SpdxDocument", "SpdxDocument")
+class SpdxDocument(ElementCollection):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides the license under which the SPDX documentation of the Element can be used.
+ cls._add_property(
+ "dataLicense",
+ ObjectProp(simplelicensing_AnyLicenseInfo, False),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/dataLicense",
+ compact="dataLicense",
+ )
+ # Provides an ExternalMap of Element identifiers.
+ cls._add_property(
+ "imports",
+ ListProp(ObjectProp(ExternalMap, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/imports",
+ compact="imports",
+ )
+ # Provides a NamespaceMap of prefixes and associated namespace partial URIs applicable to an SpdxDocument and independent of any specific serialization format or instance.
+ cls._add_property(
+ "namespaceMap",
+ ListProp(ObjectProp(NamespaceMap, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/namespaceMap",
+ compact="namespaceMap",
+ )
+
+
+# Indicates the type of support that is associated with an artifact.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/SupportType", "SupportType")
+class SupportType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "deployed": "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/deployed",
+ "development": "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/development",
+ "endOfSupport": "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/endOfSupport",
+ "limitedSupport": "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/limitedSupport",
+ "noAssertion": "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/noAssertion",
+ "noSupport": "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/noSupport",
+ "support": "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/support",
+ }
+ # in addition to being supported by the supplier, the software is known to have been deployed and is in use. For a software as a service provider, this implies the software is now available as a service.
+ deployed = "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/deployed"
+ # the artifact is in active development and is not considered ready for formal support from the supplier.
+ development = "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/development"
+ # there is a defined end of support for the artifact from the supplier. This may also be referred to as end of life. There is a validUntilDate that can be used to signal when support ends for the artifact.
+ endOfSupport = "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/endOfSupport"
+ # the artifact has been released, and there is limited support available from the supplier. There is a validUntilDate that can provide additional information about the duration of support.
+ limitedSupport = "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/limitedSupport"
+ # no assertion about the type of support is made. This is considered the default if no other support type is used.
+ noAssertion = "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/noAssertion"
+ # there is no support for the artifact from the supplier, consumer assumes any support obligations.
+ noSupport = "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/noSupport"
+ # the artifact has been released, and is supported from the supplier. There is a validUntilDate that can provide additional information about the duration of support.
+ support = "https://spdx.org/rdf/3.0.0/terms/Core/SupportType/support"
+
+
+# An element of hardware and/or software utilized to carry out a particular function.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Tool", "Tool")
+class Tool(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# Categories of confidentiality level.
+@register("https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType", "dataset_ConfidentialityLevelType")
+class dataset_ConfidentialityLevelType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "amber": "https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/amber",
+ "clear": "https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/clear",
+ "green": "https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/green",
+ "red": "https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/red",
+ }
+ # Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis.
+ amber = "https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/amber"
+ # Dataset may be distributed freely, without restriction.
+ clear = "https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/clear"
+ # Dataset can be shared within a community of peers and partners.
+ green = "https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/green"
+ # Data points in the dataset are highly confidential and can only be shared with named recipients.
+ red = "https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/red"
+
+
+# Availability of dataset
+@register("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType", "dataset_DatasetAvailabilityType")
+class dataset_DatasetAvailabilityType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "clickthrough": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/clickthrough",
+ "directDownload": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/directDownload",
+ "query": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/query",
+ "registration": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/registration",
+ "scrapingScript": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/scrapingScript",
+ }
+ # the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough webpage.
+ clickthrough = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/clickthrough"
+ # the dataset is publicly available and can be downloaded directly.
+ directDownload = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/directDownload"
+ # the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts of the dataset.
+ query = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/query"
+ # the dataset is not publicly available and an email registration is required before accessing the dataset, although without an affirmative acceptance of terms.
+ registration = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/registration"
+ # the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data.
+ scrapingScript = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/scrapingScript"
+
+
+# Enumeration of dataset types.
+@register("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType", "dataset_DatasetType")
+class dataset_DatasetType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "audio": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/audio",
+ "categorical": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/categorical",
+ "graph": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/graph",
+ "image": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/image",
+ "noAssertion": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/noAssertion",
+ "numeric": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/numeric",
+ "other": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/other",
+ "sensor": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/sensor",
+ "structured": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/structured",
+ "syntactic": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/syntactic",
+ "text": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/text",
+ "timeseries": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/timeseries",
+ "timestamp": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/timestamp",
+ "video": "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/video",
+ }
+ # data is audio based, such as a collection of music from the 80s.
+ audio = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/audio"
+ # data that is classified into a discrete number of categories, such as the eye color of a population of people.
+ categorical = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/categorical"
+ # data is in the form of a graph where entries are somehow related to each other through edges, such a social network of friends.
+ graph = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/graph"
+ # data is a collection of images such as pictures of animals.
+ image = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/image"
+ # data type is not known.
+ noAssertion = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/noAssertion"
+ # data consists only of numeric entries.
+ numeric = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/numeric"
+ # data is of a type not included in this list.
+ other = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/other"
+ # data is recorded from a physical sensor, such as a thermometer reading or biometric device.
+ sensor = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/sensor"
+ # data is stored in tabular format or retrieved from a relational database.
+ structured = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/structured"
+ # data describes the syntax or semantics of a language or text, such as a parse tree used for natural language processing.
+ syntactic = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/syntactic"
+ # data consists of unstructured text, such as a book, Wikipedia article (without images), or transcript.
+ text = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/text"
+ # data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a day.
+ timeseries = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/timeseries"
+ # data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when a taxi ride starts and ends.
+ timestamp = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/timestamp"
+ # data is video based, such as a collection of movie clips featuring Tom Hanks.
+ video = "https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/video"
+
+
+# Abstract class for additional text intended to be added to a License, but
+# which is not itself a standalone License.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/LicenseAddition", "expandedlicensing_LicenseAddition")
+class expandedlicensing_LicenseAddition(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Identifies the full text of a LicenseAddition.
+ cls._add_property(
+ "expandedlicensing_additionText",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/additionText",
+ min_count=1,
+ compact="expandedlicensing_additionText",
+ )
+ # Specifies whether an additional text identifier has been marked as deprecated.
+ cls._add_property(
+ "expandedlicensing_isDeprecatedAdditionId",
+ BooleanProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/isDeprecatedAdditionId",
+ compact="expandedlicensing_isDeprecatedAdditionId",
+ )
+ # Identifies all the text and metadata associated with a license in the license XML format.
+ cls._add_property(
+ "expandedlicensing_licenseXml",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/licenseXml",
+ compact="expandedlicensing_licenseXml",
+ )
+ # Specifies the licenseId that is preferred to be used in place of a deprecated
+ # License or LicenseAddition.
+ cls._add_property(
+ "expandedlicensing_obsoletedBy",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/obsoletedBy",
+ compact="expandedlicensing_obsoletedBy",
+ )
+ # Contains a URL where the License or LicenseAddition can be found in use.
+ cls._add_property(
+ "expandedlicensing_seeAlso",
+ ListProp(AnyURIProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/seeAlso",
+ compact="expandedlicensing_seeAlso",
+ )
+ # Identifies the full text of a LicenseAddition, in SPDX templating format.
+ cls._add_property(
+ "expandedlicensing_standardAdditionTemplate",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/standardAdditionTemplate",
+ compact="expandedlicensing_standardAdditionTemplate",
+ )
+
+
+# A license exception that is listed on the SPDX Exceptions list.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/ListedLicenseException", "expandedlicensing_ListedLicenseException")
+class expandedlicensing_ListedLicenseException(expandedlicensing_LicenseAddition):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies the SPDX License List version in which this license or exception
+ # identifier was deprecated.
+ cls._add_property(
+ "expandedlicensing_deprecatedVersion",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/deprecatedVersion",
+ compact="expandedlicensing_deprecatedVersion",
+ )
+ # Specifies the SPDX License List version in which this ListedLicense or
+ # ListedLicenseException identifier was first added.
+ cls._add_property(
+ "expandedlicensing_listVersionAdded",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/listVersionAdded",
+ compact="expandedlicensing_listVersionAdded",
+ )
+
+
+# A property name with an associated value.
+@register("https://spdx.org/rdf/3.0.0/terms/Extension/CdxPropertyEntry", "extension_CdxPropertyEntry")
+class extension_CdxPropertyEntry(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # A name used in a CdxExtension name-value pair.
+ cls._add_property(
+ "extension_cdxPropName",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Extension/cdxPropName",
+ min_count=1,
+ compact="extension_cdxPropName",
+ )
+ # A value used in a CdxExtension name-value pair.
+ cls._add_property(
+ "extension_cdxPropValue",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Extension/cdxPropValue",
+ compact="extension_cdxPropValue",
+ )
+
+
+# A characterization of some aspect of an Element that is associated with the Element in a generalized fashion.
+@register("https://spdx.org/rdf/3.0.0/terms/Extension/Extension", "extension_Extension")
+class extension_Extension(SHACLExtensibleObject, SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# Specifies the CVSS base, temporal, threat, or environmental severity type.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType", "security_CvssSeverityType")
+class security_CvssSeverityType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "critical": "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/critical",
+ "high": "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/high",
+ "low": "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/low",
+ "medium": "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/medium",
+ "none": "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/none",
+ }
+ # When a CVSS score is between 9.0 - 10.0
+ critical = "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/critical"
+ # When a CVSS score is between 7.0 - 8.9
+ high = "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/high"
+ # When a CVSS score is between 0 - 3.9
+ low = "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/low"
+ # When a CVSS score is between 4 - 6.9
+ medium = "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/medium"
+ # When a CVSS score is 0
+ none = "https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/none"
+
+
+# Specifies the exploit catalog type.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/ExploitCatalogType", "security_ExploitCatalogType")
+class security_ExploitCatalogType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "kev": "https://spdx.org/rdf/3.0.0/terms/Security/ExploitCatalogType/kev",
+ "other": "https://spdx.org/rdf/3.0.0/terms/Security/ExploitCatalogType/other",
+ }
+ # CISA's Known Exploited Vulnerability (KEV) Catalog
+ kev = "https://spdx.org/rdf/3.0.0/terms/Security/ExploitCatalogType/kev"
+ # Other exploit catalogs
+ other = "https://spdx.org/rdf/3.0.0/terms/Security/ExploitCatalogType/other"
+
+
+# Specifies the SSVC decision type.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType", "security_SsvcDecisionType")
+class security_SsvcDecisionType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "act": "https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/act",
+ "attend": "https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/attend",
+ "track": "https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/track",
+ "trackStar": "https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/trackStar",
+ }
+ # The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.
+ act = "https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/act"
+ # The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.
+ attend = "https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/attend"
+ # The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.
+ track = "https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/track"
+ # (Track* in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines.
+ trackStar = "https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/trackStar"
+
+
+# Specifies the VEX justification type.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType", "security_VexJustificationType")
+class security_VexJustificationType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "componentNotPresent": "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/componentNotPresent",
+ "inlineMitigationsAlreadyExist": "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/inlineMitigationsAlreadyExist",
+ "vulnerableCodeCannotBeControlledByAdversary": "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeCannotBeControlledByAdversary",
+ "vulnerableCodeNotInExecutePath": "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeNotInExecutePath",
+ "vulnerableCodeNotPresent": "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeNotPresent",
+ }
+ # The software is not affected because the vulnerable component is not in the product.
+ componentNotPresent = "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/componentNotPresent"
+ # Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability.
+ inlineMitigationsAlreadyExist = "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/inlineMitigationsAlreadyExist"
+ # The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is used in such a way that an attacker cannot mount any anticipated attack.
+ vulnerableCodeCannotBeControlledByAdversary = "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeCannotBeControlledByAdversary"
+ # The affected code is not reachable through the execution of the code, including non-anticipated states of the product.
+ vulnerableCodeNotInExecutePath = "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeNotInExecutePath"
+ # The product is not affected because the code underlying the vulnerability is not present in the product.
+ vulnerableCodeNotPresent = "https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeNotPresent"
+
+
+# Abstract ancestor class for all vulnerability assessments
+@register("https://spdx.org/rdf/3.0.0/terms/Security/VulnAssessmentRelationship", "security_VulnAssessmentRelationship")
+class security_VulnAssessmentRelationship(Relationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Identifies who or what supplied the artifact or VulnAssessmentRelationship referenced by the Element.
+ cls._add_property(
+ "suppliedBy",
+ ObjectProp(Agent, False),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/suppliedBy",
+ compact="suppliedBy",
+ )
+ # Specifies an element contained in a piece of software where a vulnerability was
+ # found.
+ cls._add_property(
+ "security_assessedElement",
+ ObjectProp(Element, False),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/assessedElement",
+ compact="security_assessedElement",
+ )
+ # Specifies a time when a vulnerability assessment was modified
+ cls._add_property(
+ "security_modifiedTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/modifiedTime",
+ compact="security_modifiedTime",
+ )
+ # Specifies the time when a vulnerability was published.
+ cls._add_property(
+ "security_publishedTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/publishedTime",
+ compact="security_publishedTime",
+ )
+ # Specified the time and date when a vulnerability was withdrawn.
+ cls._add_property(
+ "security_withdrawnTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/withdrawnTime",
+ compact="security_withdrawnTime",
+ )
+
+
+# Abstract class representing a license combination consisting of one or more
+# licenses (optionally including additional text), which may be combined
+# according to the SPDX license expression syntax.
+@register("https://spdx.org/rdf/3.0.0/terms/SimpleLicensing/AnyLicenseInfo", "simplelicensing_AnyLicenseInfo")
+class simplelicensing_AnyLicenseInfo(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# An SPDX Element containing an SPDX license expression string.
+@register("https://spdx.org/rdf/3.0.0/terms/SimpleLicensing/LicenseExpression", "simplelicensing_LicenseExpression")
+class simplelicensing_LicenseExpression(simplelicensing_AnyLicenseInfo):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Maps a LicenseRef or AdditionRef string for a Custom License or a Custom License Addition to its URI ID.
+ cls._add_property(
+ "simplelicensing_customIdToUri",
+ ListProp(ObjectProp(DictionaryEntry, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/SimpleLicensing/customIdToUri",
+ compact="simplelicensing_customIdToUri",
+ )
+ # A string in the license expression format.
+ cls._add_property(
+ "simplelicensing_licenseExpression",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/SimpleLicensing/licenseExpression",
+ min_count=1,
+ compact="simplelicensing_licenseExpression",
+ )
+ # The version of the SPDX License List used in the license expression.
+ cls._add_property(
+ "simplelicensing_licenseListVersion",
+ StringProp(pattern=r"^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/SimpleLicensing/licenseListVersion",
+ compact="simplelicensing_licenseListVersion",
+ )
+
+
+# A license or addition that is not listed on the SPDX License List.
+@register("https://spdx.org/rdf/3.0.0/terms/SimpleLicensing/SimpleLicensingText", "simplelicensing_SimpleLicensingText")
+class simplelicensing_SimpleLicensingText(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Identifies the full text of a License or Addition.
+ cls._add_property(
+ "simplelicensing_licenseText",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/SimpleLicensing/licenseText",
+ min_count=1,
+ compact="simplelicensing_licenseText",
+ )
+
+
+# A canonical, unique, immutable identifier
+@register("https://spdx.org/rdf/3.0.0/terms/Software/ContentIdentifier", "software_ContentIdentifier")
+class software_ContentIdentifier(IntegrityMethod):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies the type of the content identifier.
+ cls._add_property(
+ "software_contentIdentifierType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Software/ContentIdentifierType/gitoid", "gitoid"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/ContentIdentifierType/swhid", "swhid"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/contentIdentifierType",
+ min_count=1,
+ compact="software_contentIdentifierType",
+ )
+ # Specifies the value of the content identifier.
+ cls._add_property(
+ "software_contentIdentifierValue",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/contentIdentifierValue",
+ min_count=1,
+ compact="software_contentIdentifierValue",
+ )
+
+
+# Specifies the type of a content identifier.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/ContentIdentifierType", "software_ContentIdentifierType")
+class software_ContentIdentifierType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "gitoid": "https://spdx.org/rdf/3.0.0/terms/Software/ContentIdentifierType/gitoid",
+ "swhid": "https://spdx.org/rdf/3.0.0/terms/Software/ContentIdentifierType/swhid",
+ }
+ # Gitoid stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) and a gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent the software [Artifact ID](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#artifact-id) or the [OmniBOR Identifier](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-identifier) for the software artifact's associated [OmniBOR Document](https://github.com/omnibor/spec/blob/main/spec/SPEC.md#omnibor-document).
+ gitoid = "https://spdx.org/rdf/3.0.0/terms/Software/ContentIdentifierType/gitoid"
+ # SoftWare Hash IDentifier, persistent intrinsic identifiers for digital artifacts. The syntax of the identifiers is defined in the [SWHID specification](https://www.swhid.org/specification/v1.1/4.Syntax) and in the case of filess they typically look like `swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2`.
+ swhid = "https://spdx.org/rdf/3.0.0/terms/Software/ContentIdentifierType/swhid"
+
+
+# Enumeration of the different kinds of SPDX file.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/FileKindType", "software_FileKindType")
+class software_FileKindType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "directory": "https://spdx.org/rdf/3.0.0/terms/Software/FileKindType/directory",
+ "file": "https://spdx.org/rdf/3.0.0/terms/Software/FileKindType/file",
+ }
+ # The file represents a directory and all content stored in that directory.
+ directory = "https://spdx.org/rdf/3.0.0/terms/Software/FileKindType/directory"
+ # The file represents a single file (default).
+ file = "https://spdx.org/rdf/3.0.0/terms/Software/FileKindType/file"
+
+
+# Provides a set of values to be used to describe the common types of SBOMs that tools may create.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/SbomType", "software_SbomType")
+class software_SbomType(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "analyzed": "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/analyzed",
+ "build": "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/build",
+ "deployed": "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/deployed",
+ "design": "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/design",
+ "runtime": "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/runtime",
+ "source": "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/source",
+ }
+ # SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a “3rd party” SBOM.
+ analyzed = "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/analyzed"
+ # SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs.
+ build = "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/build"
+ # SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment.
+ deployed = "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/deployed"
+ # SBOM of intended, planned software project or product with included components (some of which may not yet exist) for a new software artifact.
+ design = "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/design"
+ # SBOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an “Instrumented” or “Dynamic” SBOM.
+ runtime = "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/runtime"
+ # SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact.
+ source = "https://spdx.org/rdf/3.0.0/terms/Software/SbomType/source"
+
+
+# Provides information about the primary purpose of an Element.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose", "software_SoftwarePurpose")
+class software_SoftwarePurpose(SHACLObject):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ "application": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/application",
+ "archive": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/archive",
+ "bom": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/bom",
+ "configuration": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/configuration",
+ "container": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/container",
+ "data": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/data",
+ "device": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/device",
+ "deviceDriver": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/deviceDriver",
+ "diskImage": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/diskImage",
+ "documentation": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/documentation",
+ "evidence": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/evidence",
+ "executable": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/executable",
+ "file": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/file",
+ "filesystemImage": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/filesystemImage",
+ "firmware": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/firmware",
+ "framework": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/framework",
+ "install": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/install",
+ "library": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/library",
+ "manifest": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/manifest",
+ "model": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/model",
+ "module": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/module",
+ "operatingSystem": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/operatingSystem",
+ "other": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/other",
+ "patch": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/patch",
+ "platform": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/platform",
+ "requirement": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/requirement",
+ "source": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/source",
+ "specification": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/specification",
+ "test": "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/test",
+ }
+ # the Element is a software application
+ application = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/application"
+ # the Element is an archived collection of one or more files (.tar, .zip, etc)
+ archive = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/archive"
+ # Element is a bill of materials
+ bom = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/bom"
+ # Element is configuration data
+ configuration = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/configuration"
+ # the Element is a container image which can be used by a container runtime application
+ container = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/container"
+ # Element is data
+ data = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/data"
+ # the Element refers to a chipset, processor, or electronic board
+ device = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/device"
+ # Element represents software that controls hardware devices
+ deviceDriver = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/deviceDriver"
+ # the Element refers to a disk image that can be written to a disk, booted in a VM, etc. A disk image typically contains most or all of the components necessary to boot, such as bootloaders, kernels, firmware, userspace, etc.
+ diskImage = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/diskImage"
+ # Element is documentation
+ documentation = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/documentation"
+ # the Element is the evidence that a specification or requirement has been fulfilled
+ evidence = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/evidence"
+ # Element is an Artifact that can be run on a computer
+ executable = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/executable"
+ # the Element is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc)
+ file = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/file"
+ # the Element is a file system image that can be written to a disk (or virtual) partition
+ filesystemImage = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/filesystemImage"
+ # the Element provides low level control over a device's hardware
+ firmware = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/firmware"
+ # the Element is a software framework
+ framework = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/framework"
+ # the Element is used to install software on disk
+ install = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/install"
+ # the Element is a software library
+ library = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/library"
+ # the Element is a software manifest
+ manifest = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/manifest"
+ # the Element is a machine learning or artificial intelligence model
+ model = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/model"
+ # the Element is a module of a piece of software
+ module = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/module"
+ # the Element is an operating system
+ operatingSystem = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/operatingSystem"
+ # the Element doesn't fit into any of the other categories
+ other = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/other"
+ # Element contains a set of changes to update, fix, or improve another Element
+ patch = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/patch"
+ # Element represents a runtime environment
+ platform = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/platform"
+ # the Element provides a requirement needed as input for another Element
+ requirement = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/requirement"
+ # the Element is a single or a collection of source files
+ source = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/source"
+ # the Element is a plan, guideline or strategy how to create, perform or analyse an application
+ specification = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/specification"
+ # The Element is a test used to verify functionality on an software element
+ test = "https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/test"
+
+
+# Class that describes a build instance of software/artifacts.
+@register("https://spdx.org/rdf/3.0.0/terms/Build/Build", "build_Build")
+class build_Build(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Property that describes the time at which a build stops.
+ cls._add_property(
+ "build_buildEndTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/buildEndTime",
+ compact="build_buildEndTime",
+ )
+ # A buildId is a locally unique identifier used by a builder to identify a unique instance of a build produced by it.
+ cls._add_property(
+ "build_buildId",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/buildId",
+ compact="build_buildId",
+ )
+ # Property describing the start time of a build.
+ cls._add_property(
+ "build_buildStartTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/buildStartTime",
+ compact="build_buildStartTime",
+ )
+ # A buildType is a hint that is used to indicate the toolchain, platform, or infrastructure that the build was invoked on.
+ cls._add_property(
+ "build_buildType",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/buildType",
+ min_count=1,
+ compact="build_buildType",
+ )
+ # Property that describes the digest of the build configuration file used to invoke a build.
+ cls._add_property(
+ "build_configSourceDigest",
+ ListProp(ObjectProp(Hash, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/configSourceDigest",
+ compact="build_configSourceDigest",
+ )
+ # Property describes the invocation entrypoint of a build.
+ cls._add_property(
+ "build_configSourceEntrypoint",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/configSourceEntrypoint",
+ compact="build_configSourceEntrypoint",
+ )
+ # Property that describes the URI of the build configuration source file.
+ cls._add_property(
+ "build_configSourceUri",
+ ListProp(AnyURIProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/configSourceUri",
+ compact="build_configSourceUri",
+ )
+ # Property describing the session in which a build is invoked.
+ cls._add_property(
+ "build_environment",
+ ListProp(ObjectProp(DictionaryEntry, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/environment",
+ compact="build_environment",
+ )
+ # Property describing the parameters used in an instance of a build.
+ cls._add_property(
+ "build_parameters",
+ ListProp(ObjectProp(DictionaryEntry, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Build/parameters",
+ compact="build_parameters",
+ )
+
+
+# Agent represents anything with the potential to act on a system.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Agent", "Agent")
+class Agent(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# An assertion made in relation to one or more elements.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Annotation", "Annotation")
+class Annotation(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Describes the type of annotation.
+ cls._add_property(
+ "annotationType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/AnnotationType/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/AnnotationType/review", "review"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/annotationType",
+ min_count=1,
+ compact="annotationType",
+ )
+ # Specifies the media type of an Element or Property.
+ cls._add_property(
+ "contentType",
+ StringProp(pattern=r"^[^\/]+\/[^\/]+$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/contentType",
+ compact="contentType",
+ )
+ # Commentary on an assertion that an annotator has made.
+ cls._add_property(
+ "statement",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/statement",
+ compact="statement",
+ )
+ # An Element an annotator has made an assertion about.
+ cls._add_property(
+ "subject",
+ ObjectProp(Element, True),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/subject",
+ min_count=1,
+ compact="subject",
+ )
+
+
+# A distinct article or unit within the digital domain.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Artifact", "Artifact")
+class Artifact(Element):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies the time an artifact was built.
+ cls._add_property(
+ "builtTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/builtTime",
+ compact="builtTime",
+ )
+ # Identifies from where or whom the Element originally came.
+ cls._add_property(
+ "originatedBy",
+ ListProp(ObjectProp(Agent, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/originatedBy",
+ compact="originatedBy",
+ )
+ # Specifies the time an artifact was released.
+ cls._add_property(
+ "releaseTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/releaseTime",
+ compact="releaseTime",
+ )
+ # The name of a relevant standard that may apply to an artifact.
+ cls._add_property(
+ "standardName",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/standardName",
+ compact="standardName",
+ )
+ # Identifies who or what supplied the artifact or VulnAssessmentRelationship referenced by the Element.
+ cls._add_property(
+ "suppliedBy",
+ ObjectProp(Agent, False),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/suppliedBy",
+ compact="suppliedBy",
+ )
+ # Specifies the level of support associated with an artifact.
+ cls._add_property(
+ "supportLevel",
+ ListProp(EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/SupportType/deployed", "deployed"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/SupportType/development", "development"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/SupportType/endOfSupport", "endOfSupport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/SupportType/limitedSupport", "limitedSupport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/SupportType/noAssertion", "noAssertion"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/SupportType/noSupport", "noSupport"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/SupportType/support", "support"),
+ ])),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/supportLevel",
+ compact="supportLevel",
+ )
+ # Specifies until when the artifact can be used before its usage needs to be reassessed.
+ cls._add_property(
+ "validUntilTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/validUntilTime",
+ compact="validUntilTime",
+ )
+
+
+# A collection of Elements that have a shared context.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Bundle", "Bundle")
+class Bundle(ElementCollection):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Gives information about the circumstances or unifying properties
+ # that Elements of the bundle have been assembled under.
+ cls._add_property(
+ "context",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/context",
+ compact="context",
+ )
+
+
+# A mathematically calculated representation of a grouping of data.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Hash", "Hash")
+class Hash(IntegrityMethod):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies the algorithm used for calculating the hash value.
+ cls._add_property(
+ "algorithm",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b256", "blake2b256"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b384", "blake2b384"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake2b512", "blake2b512"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/blake3", "blake3"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/crystalsDilithium", "crystalsDilithium"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/crystalsKyber", "crystalsKyber"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/falcon", "falcon"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md2", "md2"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md4", "md4"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md5", "md5"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/md6", "md6"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha1", "sha1"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha224", "sha224"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha256", "sha256"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha384", "sha384"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_224", "sha3_224"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_256", "sha3_256"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_384", "sha3_384"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha3_512", "sha3_512"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/HashAlgorithm/sha512", "sha512"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/algorithm",
+ min_count=1,
+ compact="algorithm",
+ )
+ # The result of applying a hash algorithm to an Element.
+ cls._add_property(
+ "hashValue",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/hashValue",
+ min_count=1,
+ compact="hashValue",
+ )
+
+
+# Provide context for a relationship that occurs in the lifecycle.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopedRelationship", "LifecycleScopedRelationship")
+class LifecycleScopedRelationship(Relationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Capture the scope of information about a specific relationship between elements.
+ cls._add_property(
+ "scope",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/build", "build"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/design", "design"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/development", "development"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/runtime", "runtime"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/LifecycleScopeType/test", "test"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Core/scope",
+ compact="scope",
+ )
+
+
+# A group of people who work together in an organized way for a shared purpose.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Organization", "Organization")
+class Organization(Agent):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# An individual human being.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Person", "Person")
+class Person(Agent):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# A software agent.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/SoftwareAgent", "SoftwareAgent")
+class SoftwareAgent(Agent):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# Portion of an AnyLicenseInfo representing a set of licensing information
+# where all elements apply.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/ConjunctiveLicenseSet", "expandedlicensing_ConjunctiveLicenseSet")
+class expandedlicensing_ConjunctiveLicenseSet(simplelicensing_AnyLicenseInfo):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # A license expression participating in a license set.
+ cls._add_property(
+ "expandedlicensing_member",
+ ListProp(ObjectProp(simplelicensing_AnyLicenseInfo, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/member",
+ min_count=2,
+ compact="expandedlicensing_member",
+ )
+
+
+# A license addition that is not listed on the SPDX Exceptions List.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/CustomLicenseAddition", "expandedlicensing_CustomLicenseAddition")
+class expandedlicensing_CustomLicenseAddition(expandedlicensing_LicenseAddition):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# Portion of an AnyLicenseInfo representing a set of licensing information
+# where only one of the elements applies.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/DisjunctiveLicenseSet", "expandedlicensing_DisjunctiveLicenseSet")
+class expandedlicensing_DisjunctiveLicenseSet(simplelicensing_AnyLicenseInfo):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # A license expression participating in a license set.
+ cls._add_property(
+ "expandedlicensing_member",
+ ListProp(ObjectProp(simplelicensing_AnyLicenseInfo, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/member",
+ min_count=2,
+ compact="expandedlicensing_member",
+ )
+
+
+# Abstract class representing a License or an OrLaterOperator.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/ExtendableLicense", "expandedlicensing_ExtendableLicense")
+class expandedlicensing_ExtendableLicense(simplelicensing_AnyLicenseInfo):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# A concrete subclass of AnyLicenseInfo used by Individuals in the ExpandedLicensing profile.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/IndividualLicensingInfo", "expandedlicensing_IndividualLicensingInfo")
+class expandedlicensing_IndividualLicensingInfo(simplelicensing_AnyLicenseInfo):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# Abstract class for the portion of an AnyLicenseInfo representing a license.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/License", "expandedlicensing_License")
+class expandedlicensing_License(expandedlicensing_ExtendableLicense):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies whether a license or additional text identifier has been marked as
+ # deprecated.
+ cls._add_property(
+ "expandedlicensing_isDeprecatedLicenseId",
+ BooleanProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/isDeprecatedLicenseId",
+ compact="expandedlicensing_isDeprecatedLicenseId",
+ )
+ # Specifies whether the License is listed as free by the
+ # [Free Software Foundation (FSF)](https://fsf.org).
+ cls._add_property(
+ "expandedlicensing_isFsfLibre",
+ BooleanProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/isFsfLibre",
+ compact="expandedlicensing_isFsfLibre",
+ )
+ # Specifies whether the License is listed as approved by the
+ # [Open Source Initiative (OSI)](https://opensource.org).
+ cls._add_property(
+ "expandedlicensing_isOsiApproved",
+ BooleanProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/isOsiApproved",
+ compact="expandedlicensing_isOsiApproved",
+ )
+ # Identifies all the text and metadata associated with a license in the license XML format.
+ cls._add_property(
+ "expandedlicensing_licenseXml",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/licenseXml",
+ compact="expandedlicensing_licenseXml",
+ )
+ # Specifies the licenseId that is preferred to be used in place of a deprecated
+ # License or LicenseAddition.
+ cls._add_property(
+ "expandedlicensing_obsoletedBy",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/obsoletedBy",
+ compact="expandedlicensing_obsoletedBy",
+ )
+ # Contains a URL where the License or LicenseAddition can be found in use.
+ cls._add_property(
+ "expandedlicensing_seeAlso",
+ ListProp(AnyURIProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/seeAlso",
+ compact="expandedlicensing_seeAlso",
+ )
+ # Provides a License author's preferred text to indicate that a file is covered
+ # by the License.
+ cls._add_property(
+ "expandedlicensing_standardLicenseHeader",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/standardLicenseHeader",
+ compact="expandedlicensing_standardLicenseHeader",
+ )
+ # Identifies the full text of a License, in SPDX templating format.
+ cls._add_property(
+ "expandedlicensing_standardLicenseTemplate",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/standardLicenseTemplate",
+ compact="expandedlicensing_standardLicenseTemplate",
+ )
+ # Identifies the full text of a License or Addition.
+ cls._add_property(
+ "simplelicensing_licenseText",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/SimpleLicensing/licenseText",
+ min_count=1,
+ compact="simplelicensing_licenseText",
+ )
+
+
+# A license that is listed on the SPDX License List.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/ListedLicense", "expandedlicensing_ListedLicense")
+class expandedlicensing_ListedLicense(expandedlicensing_License):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies the SPDX License List version in which this license or exception
+ # identifier was deprecated.
+ cls._add_property(
+ "expandedlicensing_deprecatedVersion",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/deprecatedVersion",
+ compact="expandedlicensing_deprecatedVersion",
+ )
+ # Specifies the SPDX License List version in which this ListedLicense or
+ # ListedLicenseException identifier was first added.
+ cls._add_property(
+ "expandedlicensing_listVersionAdded",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/listVersionAdded",
+ compact="expandedlicensing_listVersionAdded",
+ )
+
+
+# Portion of an AnyLicenseInfo representing this version, or any later version,
+# of the indicated License.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/OrLaterOperator", "expandedlicensing_OrLaterOperator")
+class expandedlicensing_OrLaterOperator(expandedlicensing_ExtendableLicense):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # A License participating in an 'or later' model.
+ cls._add_property(
+ "expandedlicensing_subjectLicense",
+ ObjectProp(expandedlicensing_License, True),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/subjectLicense",
+ min_count=1,
+ compact="expandedlicensing_subjectLicense",
+ )
+
+
+# Portion of an AnyLicenseInfo representing a License which has additional
+# text applied to it.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/WithAdditionOperator", "expandedlicensing_WithAdditionOperator")
+class expandedlicensing_WithAdditionOperator(simplelicensing_AnyLicenseInfo):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # A LicenseAddition participating in a 'with addition' model.
+ cls._add_property(
+ "expandedlicensing_subjectAddition",
+ ObjectProp(expandedlicensing_LicenseAddition, True),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/subjectAddition",
+ min_count=1,
+ compact="expandedlicensing_subjectAddition",
+ )
+ # A License participating in a 'with addition' model.
+ cls._add_property(
+ "expandedlicensing_subjectExtendableLicense",
+ ObjectProp(expandedlicensing_ExtendableLicense, True),
+ iri="https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/subjectExtendableLicense",
+ min_count=1,
+ compact="expandedlicensing_subjectExtendableLicense",
+ )
+
+
+# A type of extension consisting of a list of name value pairs.
+@register("https://spdx.org/rdf/3.0.0/terms/Extension/CdxPropertiesExtension", "extension_CdxPropertiesExtension")
+class extension_CdxPropertiesExtension(extension_Extension):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides a map of a property names to a values.
+ cls._add_property(
+ "extension_cdxProperty",
+ ListProp(ObjectProp(extension_CdxPropertyEntry, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Extension/cdxProperty",
+ min_count=1,
+ compact="extension_cdxProperty",
+ )
+
+
+# Provides a CVSS version 2.0 assessment for a vulnerability.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/CvssV2VulnAssessmentRelationship", "security_CvssV2VulnAssessmentRelationship")
+class security_CvssV2VulnAssessmentRelationship(security_VulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides a numerical (0-10) representation of the severity of a vulnerability.
+ cls._add_property(
+ "security_score",
+ FloatProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/score",
+ min_count=1,
+ compact="security_score",
+ )
+ # Specifies the CVSS vector string for a vulnerability.
+ cls._add_property(
+ "security_vectorString",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/vectorString",
+ min_count=1,
+ compact="security_vectorString",
+ )
+
+
+# Provides a CVSS version 3 assessment for a vulnerability.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/CvssV3VulnAssessmentRelationship", "security_CvssV3VulnAssessmentRelationship")
+class security_CvssV3VulnAssessmentRelationship(security_VulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides a numerical (0-10) representation of the severity of a vulnerability.
+ cls._add_property(
+ "security_score",
+ FloatProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/score",
+ min_count=1,
+ compact="security_score",
+ )
+ # Specifies the CVSS qualitative severity rating of a vulnerability in relation to a piece of software.
+ cls._add_property(
+ "security_severity",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/critical", "critical"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/high", "high"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/low", "low"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/medium", "medium"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/none", "none"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/severity",
+ min_count=1,
+ compact="security_severity",
+ )
+ # Specifies the CVSS vector string for a vulnerability.
+ cls._add_property(
+ "security_vectorString",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/vectorString",
+ min_count=1,
+ compact="security_vectorString",
+ )
+
+
+# Provides a CVSS version 4 assessment for a vulnerability.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/CvssV4VulnAssessmentRelationship", "security_CvssV4VulnAssessmentRelationship")
+class security_CvssV4VulnAssessmentRelationship(security_VulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides a numerical (0-10) representation of the severity of a vulnerability.
+ cls._add_property(
+ "security_score",
+ FloatProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/score",
+ min_count=1,
+ compact="security_score",
+ )
+ # Specifies the CVSS qualitative severity rating of a vulnerability in relation to a piece of software.
+ cls._add_property(
+ "security_severity",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/critical", "critical"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/high", "high"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/low", "low"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/medium", "medium"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/CvssSeverityType/none", "none"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/severity",
+ min_count=1,
+ compact="security_severity",
+ )
+ # Specifies the CVSS vector string for a vulnerability.
+ cls._add_property(
+ "security_vectorString",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/vectorString",
+ min_count=1,
+ compact="security_vectorString",
+ )
+
+
+# Provides an EPSS assessment for a vulnerability.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/EpssVulnAssessmentRelationship", "security_EpssVulnAssessmentRelationship")
+class security_EpssVulnAssessmentRelationship(security_VulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # The percentile of the current probability score.
+ cls._add_property(
+ "security_percentile",
+ FloatProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/percentile",
+ min_count=1,
+ compact="security_percentile",
+ )
+ # A probability score between 0 and 1 of a vulnerability being exploited.
+ cls._add_property(
+ "security_probability",
+ FloatProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/probability",
+ min_count=1,
+ compact="security_probability",
+ )
+ # Specifies the time when a vulnerability was published.
+ cls._add_property(
+ "security_publishedTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/publishedTime",
+ min_count=1,
+ compact="security_publishedTime",
+ )
+
+
+# Provides an exploit assessment of a vulnerability.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/ExploitCatalogVulnAssessmentRelationship", "security_ExploitCatalogVulnAssessmentRelationship")
+class security_ExploitCatalogVulnAssessmentRelationship(security_VulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies the exploit catalog type.
+ cls._add_property(
+ "security_catalogType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Security/ExploitCatalogType/kev", "kev"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/ExploitCatalogType/other", "other"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/catalogType",
+ min_count=1,
+ compact="security_catalogType",
+ )
+ # Describe that a CVE is known to have an exploit because it's been listed in an exploit catalog.
+ cls._add_property(
+ "security_exploited",
+ BooleanProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/exploited",
+ min_count=1,
+ compact="security_exploited",
+ )
+ # Provides the location of an exploit catalog.
+ cls._add_property(
+ "security_locator",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/locator",
+ min_count=1,
+ compact="security_locator",
+ )
+
+
+# Provides an SSVC assessment for a vulnerability.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/SsvcVulnAssessmentRelationship", "security_SsvcVulnAssessmentRelationship")
+class security_SsvcVulnAssessmentRelationship(security_VulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provide the enumeration of possible decisions in the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree [https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf](https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf)
+ cls._add_property(
+ "security_decisionType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/act", "act"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/attend", "attend"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/track", "track"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/SsvcDecisionType/trackStar", "trackStar"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/decisionType",
+ min_count=1,
+ compact="security_decisionType",
+ )
+
+
+# Asbtract ancestor class for all VEX relationships
+@register("https://spdx.org/rdf/3.0.0/terms/Security/VexVulnAssessmentRelationship", "security_VexVulnAssessmentRelationship")
+class security_VexVulnAssessmentRelationship(security_VulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Conveys information about how VEX status was determined.
+ cls._add_property(
+ "security_statusNotes",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/statusNotes",
+ compact="security_statusNotes",
+ )
+ # Specifies the version of a VEX statement.
+ cls._add_property(
+ "security_vexVersion",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/vexVersion",
+ compact="security_vexVersion",
+ )
+
+
+# Specifies a vulnerability and its associated information.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/Vulnerability", "security_Vulnerability")
+class security_Vulnerability(Artifact):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Specifies a time when a vulnerability assessment was modified
+ cls._add_property(
+ "security_modifiedTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/modifiedTime",
+ compact="security_modifiedTime",
+ )
+ # Specifies the time when a vulnerability was published.
+ cls._add_property(
+ "security_publishedTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/publishedTime",
+ compact="security_publishedTime",
+ )
+ # Specified the time and date when a vulnerability was withdrawn.
+ cls._add_property(
+ "security_withdrawnTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/withdrawnTime",
+ compact="security_withdrawnTime",
+ )
+
+
+# A distinct article or unit related to Software.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/SoftwareArtifact", "software_SoftwareArtifact")
+class software_SoftwareArtifact(Artifact):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides additional purpose information of the software artifact.
+ cls._add_property(
+ "software_additionalPurpose",
+ ListProp(EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/application", "application"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/archive", "archive"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/bom", "bom"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/configuration", "configuration"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/container", "container"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/data", "data"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/device", "device"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/deviceDriver", "deviceDriver"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/diskImage", "diskImage"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/documentation", "documentation"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/evidence", "evidence"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/executable", "executable"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/file", "file"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/filesystemImage", "filesystemImage"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/firmware", "firmware"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/framework", "framework"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/install", "install"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/library", "library"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/manifest", "manifest"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/model", "model"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/module", "module"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/operatingSystem", "operatingSystem"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/patch", "patch"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/platform", "platform"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/requirement", "requirement"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/source", "source"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/specification", "specification"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/test", "test"),
+ ])),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/additionalPurpose",
+ compact="software_additionalPurpose",
+ )
+ # Provides a place for the SPDX data creator to record acknowledgement text for
+ # a software Package, File or Snippet.
+ cls._add_property(
+ "software_attributionText",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/attributionText",
+ compact="software_attributionText",
+ )
+ # A canonical, unique, immutable identifier of the artifact content, that may be used for verifying its identity and/or integrity.
+ cls._add_property(
+ "software_contentIdentifier",
+ ListProp(ObjectProp(software_ContentIdentifier, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/contentIdentifier",
+ compact="software_contentIdentifier",
+ )
+ # Identifies the text of one or more copyright notices for a software Package,
+ # File or Snippet, if any.
+ cls._add_property(
+ "software_copyrightText",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/copyrightText",
+ compact="software_copyrightText",
+ )
+ # Provides information about the primary purpose of the software artifact.
+ cls._add_property(
+ "software_primaryPurpose",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/application", "application"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/archive", "archive"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/bom", "bom"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/configuration", "configuration"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/container", "container"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/data", "data"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/device", "device"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/deviceDriver", "deviceDriver"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/diskImage", "diskImage"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/documentation", "documentation"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/evidence", "evidence"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/executable", "executable"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/file", "file"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/filesystemImage", "filesystemImage"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/firmware", "firmware"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/framework", "framework"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/install", "install"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/library", "library"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/manifest", "manifest"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/model", "model"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/module", "module"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/operatingSystem", "operatingSystem"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/patch", "patch"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/platform", "platform"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/requirement", "requirement"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/source", "source"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/specification", "specification"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SoftwarePurpose/test", "test"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/primaryPurpose",
+ compact="software_primaryPurpose",
+ )
+
+
+# A container for a grouping of SPDX-3.0 content characterizing details
+# (provenence, composition, licensing, etc.) about a product.
+@register("https://spdx.org/rdf/3.0.0/terms/Core/Bom", "Bom")
+class Bom(Bundle):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# A license that is not listed on the SPDX License List.
+@register("https://spdx.org/rdf/3.0.0/terms/ExpandedLicensing/CustomLicense", "expandedlicensing_CustomLicense")
+class expandedlicensing_CustomLicense(expandedlicensing_License):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# Connects a vulnerability and an element designating the element as a product
+# affected by the vulnerability.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/VexAffectedVulnAssessmentRelationship", "security_VexAffectedVulnAssessmentRelationship")
+class security_VexAffectedVulnAssessmentRelationship(security_VexVulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides advise on how to mitigate or remediate a vulnerability when a VEX product
+ # is affected by it.
+ cls._add_property(
+ "security_actionStatement",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/actionStatement",
+ compact="security_actionStatement",
+ )
+ # Records the time when a recommended action was communicated in a VEX statement
+ # to mitigate a vulnerability.
+ cls._add_property(
+ "security_actionStatementTime",
+ ListProp(DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/actionStatementTime",
+ compact="security_actionStatementTime",
+ )
+
+
+# Links a vulnerability and elements representing products (in the VEX sense) where
+# a fix has been applied and are no longer affected.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/VexFixedVulnAssessmentRelationship", "security_VexFixedVulnAssessmentRelationship")
+class security_VexFixedVulnAssessmentRelationship(security_VexVulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# Links a vulnerability and one or more elements designating the latter as products
+# not affected by the vulnerability.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/VexNotAffectedVulnAssessmentRelationship", "security_VexNotAffectedVulnAssessmentRelationship")
+class security_VexNotAffectedVulnAssessmentRelationship(security_VexVulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Explains why a VEX product is not affected by a vulnerability. It is an
+ # alternative in VexNotAffectedVulnAssessmentRelationship to the machine-readable
+ # justification label.
+ cls._add_property(
+ "security_impactStatement",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/impactStatement",
+ compact="security_impactStatement",
+ )
+ # Timestamp of impact statement.
+ cls._add_property(
+ "security_impactStatementTime",
+ DateTimeStampProp(pattern=r"^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/impactStatementTime",
+ compact="security_impactStatementTime",
+ )
+ # Impact justification label to be used when linking a vulnerability to an element
+ # representing a VEX product with a VexNotAffectedVulnAssessmentRelationship
+ # relationship.
+ cls._add_property(
+ "security_justificationType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/componentNotPresent", "componentNotPresent"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/inlineMitigationsAlreadyExist", "inlineMitigationsAlreadyExist"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeCannotBeControlledByAdversary", "vulnerableCodeCannotBeControlledByAdversary"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeNotInExecutePath", "vulnerableCodeNotInExecutePath"),
+ ("https://spdx.org/rdf/3.0.0/terms/Security/VexJustificationType/vulnerableCodeNotPresent", "vulnerableCodeNotPresent"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Security/justificationType",
+ compact="security_justificationType",
+ )
+
+
+# Designates elements as products where the impact of a vulnerability is being
+# investigated.
+@register("https://spdx.org/rdf/3.0.0/terms/Security/VexUnderInvestigationVulnAssessmentRelationship", "security_VexUnderInvestigationVulnAssessmentRelationship")
+class security_VexUnderInvestigationVulnAssessmentRelationship(security_VexVulnAssessmentRelationship):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+
+# Refers to any object that stores content on a computer.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/File", "software_File")
+class software_File(software_SoftwareArtifact):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides information about the content type of an Element.
+ cls._add_property(
+ "software_contentType",
+ StringProp(pattern=r"^[^\/]+\/[^\/]+$",),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/contentType",
+ compact="software_contentType",
+ )
+ # Describes if a given file is a directory or non-directory kind of file.
+ cls._add_property(
+ "software_fileKind",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Software/FileKindType/directory", "directory"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/FileKindType/file", "file"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/fileKind",
+ compact="software_fileKind",
+ )
+
+
+# Refers to any unit of content that can be associated with a distribution of software.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/Package", "software_Package")
+class software_Package(software_SoftwareArtifact):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Identifies the download Uniform Resource Identifier for the package at the time that the document was created.
+ cls._add_property(
+ "software_downloadLocation",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/downloadLocation",
+ compact="software_downloadLocation",
+ )
+ # A place for the SPDX document creator to record a website that serves as the package's home page.
+ cls._add_property(
+ "software_homePage",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/homePage",
+ compact="software_homePage",
+ )
+ # Provides a place for the SPDX data creator to record the package URL string (in accordance with the [package URL spec](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst)) for a software Package.
+ cls._add_property(
+ "software_packageUrl",
+ AnyURIProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/packageUrl",
+ compact="software_packageUrl",
+ )
+ # Identify the version of a package.
+ cls._add_property(
+ "software_packageVersion",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/packageVersion",
+ compact="software_packageVersion",
+ )
+ # Records any relevant background information or additional comments
+ # about the origin of the package.
+ cls._add_property(
+ "software_sourceInfo",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/sourceInfo",
+ compact="software_sourceInfo",
+ )
+
+
+# A collection of SPDX Elements describing a single package.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/Sbom", "software_Sbom")
+class software_Sbom(Bom):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Provides information about the type of an SBOM.
+ cls._add_property(
+ "software_sbomType",
+ ListProp(EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SbomType/analyzed", "analyzed"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SbomType/build", "build"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SbomType/deployed", "deployed"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SbomType/design", "design"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SbomType/runtime", "runtime"),
+ ("https://spdx.org/rdf/3.0.0/terms/Software/SbomType/source", "source"),
+ ])),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/sbomType",
+ compact="software_sbomType",
+ )
+
+
+# Describes a certain part of a file.
+@register("https://spdx.org/rdf/3.0.0/terms/Software/Snippet", "software_Snippet")
+class software_Snippet(software_SoftwareArtifact):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Defines the byte range in the original host file that the snippet information applies to.
+ cls._add_property(
+ "software_byteRange",
+ ObjectProp(PositiveIntegerRange, False),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/byteRange",
+ compact="software_byteRange",
+ )
+ # Defines the line range in the original host file that the snippet information applies to.
+ cls._add_property(
+ "software_lineRange",
+ ObjectProp(PositiveIntegerRange, False),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/lineRange",
+ compact="software_lineRange",
+ )
+ # Defines the original host file that the snippet information applies to.
+ cls._add_property(
+ "software_snippetFromFile",
+ ObjectProp(software_File, True),
+ iri="https://spdx.org/rdf/3.0.0/terms/Software/snippetFromFile",
+ min_count=1,
+ compact="software_snippetFromFile",
+ )
+
+
+# Specifies an AI package and its associated information.
+@register("https://spdx.org/rdf/3.0.0/terms/AI/AIPackage", "ai_AIPackage")
+class ai_AIPackage(software_Package):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # States if a human is involved in the decisions of the AI software.
+ cls._add_property(
+ "ai_autonomyType",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/no", "no"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/noAssertion", "noAssertion"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/yes", "yes"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/autonomyType",
+ compact="ai_autonomyType",
+ )
+ # Captures the domain in which the AI package can be used.
+ cls._add_property(
+ "ai_domain",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/domain",
+ compact="ai_domain",
+ )
+ # Indicates the amount of energy consumed to train the AI model.
+ cls._add_property(
+ "ai_energyConsumption",
+ ObjectProp(ai_EnergyConsumption, False),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/energyConsumption",
+ compact="ai_energyConsumption",
+ )
+ # Records a hyperparameter used to build the AI model contained in the AI package.
+ cls._add_property(
+ "ai_hyperparameter",
+ ListProp(ObjectProp(DictionaryEntry, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/hyperparameter",
+ compact="ai_hyperparameter",
+ )
+ # Provides relevant information about the AI software, not including the model description.
+ cls._add_property(
+ "ai_informationAboutApplication",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/informationAboutApplication",
+ compact="ai_informationAboutApplication",
+ )
+ # Describes relevant information about different steps of the training process.
+ cls._add_property(
+ "ai_informationAboutTraining",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/informationAboutTraining",
+ compact="ai_informationAboutTraining",
+ )
+ # Captures a limitation of the AI software.
+ cls._add_property(
+ "ai_limitation",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/limitation",
+ compact="ai_limitation",
+ )
+ # Records the measurement of prediction quality of the AI model.
+ cls._add_property(
+ "ai_metric",
+ ListProp(ObjectProp(DictionaryEntry, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/metric",
+ compact="ai_metric",
+ )
+ # Captures the threshold that was used for computation of a metric described in the metric field.
+ cls._add_property(
+ "ai_metricDecisionThreshold",
+ ListProp(ObjectProp(DictionaryEntry, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/metricDecisionThreshold",
+ compact="ai_metricDecisionThreshold",
+ )
+ # Describes all the preprocessing steps applied to the training data before the model training.
+ cls._add_property(
+ "ai_modelDataPreprocessing",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/modelDataPreprocessing",
+ compact="ai_modelDataPreprocessing",
+ )
+ # Describes methods that can be used to explain the model.
+ cls._add_property(
+ "ai_modelExplainability",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/modelExplainability",
+ compact="ai_modelExplainability",
+ )
+ # Records the results of general safety risk assessment of the AI system.
+ cls._add_property(
+ "ai_safetyRiskAssessment",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/high", "high"),
+ ("https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/low", "low"),
+ ("https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/medium", "medium"),
+ ("https://spdx.org/rdf/3.0.0/terms/AI/SafetyRiskAssessmentType/serious", "serious"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/safetyRiskAssessment",
+ compact="ai_safetyRiskAssessment",
+ )
+ # Captures a standard that is being complied with.
+ cls._add_property(
+ "ai_standardCompliance",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/standardCompliance",
+ compact="ai_standardCompliance",
+ )
+ # Records the type of the model used in the AI software.
+ cls._add_property(
+ "ai_typeOfModel",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/typeOfModel",
+ compact="ai_typeOfModel",
+ )
+ # Records if sensitive personal information is used during model training or could be used during the inference.
+ cls._add_property(
+ "ai_useSensitivePersonalInformation",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/no", "no"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/noAssertion", "noAssertion"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/yes", "yes"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/AI/useSensitivePersonalInformation",
+ compact="ai_useSensitivePersonalInformation",
+ )
+
+
+# Specifies a data package and its associated information.
+@register("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetPackage", "dataset_DatasetPackage")
+class dataset_DatasetPackage(software_Package):
+ NODE_KIND = NodeKind.BlankNodeOrIRI
+ ID_ALIAS = "spdxId"
+ NAMED_INDIVIDUALS = {
+ }
+
+ @classmethod
+ def _register_props(cls):
+ super()._register_props()
+ # Describes the anonymization methods used.
+ cls._add_property(
+ "dataset_anonymizationMethodUsed",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/anonymizationMethodUsed",
+ compact="dataset_anonymizationMethodUsed",
+ )
+ # Describes the confidentiality level of the data points contained in the dataset.
+ cls._add_property(
+ "dataset_confidentialityLevel",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/amber", "amber"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/clear", "clear"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/green", "green"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/ConfidentialityLevelType/red", "red"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/confidentialityLevel",
+ compact="dataset_confidentialityLevel",
+ )
+ # Describes how the dataset was collected.
+ cls._add_property(
+ "dataset_dataCollectionProcess",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/dataCollectionProcess",
+ compact="dataset_dataCollectionProcess",
+ )
+ # Describes the preprocessing steps that were applied to the raw data to create the given dataset.
+ cls._add_property(
+ "dataset_dataPreprocessing",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/dataPreprocessing",
+ compact="dataset_dataPreprocessing",
+ )
+ # The field describes the availability of a dataset.
+ cls._add_property(
+ "dataset_datasetAvailability",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/clickthrough", "clickthrough"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/directDownload", "directDownload"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/query", "query"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/registration", "registration"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetAvailabilityType/scrapingScript", "scrapingScript"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/datasetAvailability",
+ compact="dataset_datasetAvailability",
+ )
+ # Describes potentially noisy elements of the dataset.
+ cls._add_property(
+ "dataset_datasetNoise",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/datasetNoise",
+ compact="dataset_datasetNoise",
+ )
+ # Captures the size of the dataset.
+ cls._add_property(
+ "dataset_datasetSize",
+ NonNegativeIntegerProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/datasetSize",
+ compact="dataset_datasetSize",
+ )
+ # Describes the type of the given dataset.
+ cls._add_property(
+ "dataset_datasetType",
+ ListProp(EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/audio", "audio"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/categorical", "categorical"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/graph", "graph"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/image", "image"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/noAssertion", "noAssertion"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/numeric", "numeric"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/other", "other"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/sensor", "sensor"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/structured", "structured"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/syntactic", "syntactic"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/text", "text"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/timeseries", "timeseries"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/timestamp", "timestamp"),
+ ("https://spdx.org/rdf/3.0.0/terms/Dataset/DatasetType/video", "video"),
+ ])),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/datasetType",
+ min_count=1,
+ compact="dataset_datasetType",
+ )
+ # Describes a mechanism to update the dataset.
+ cls._add_property(
+ "dataset_datasetUpdateMechanism",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/datasetUpdateMechanism",
+ compact="dataset_datasetUpdateMechanism",
+ )
+ # Describes if any sensitive personal information is present in the dataset.
+ cls._add_property(
+ "dataset_hasSensitivePersonalInformation",
+ EnumProp([
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/no", "no"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/noAssertion", "noAssertion"),
+ ("https://spdx.org/rdf/3.0.0/terms/Core/PresenceType/yes", "yes"),
+ ]),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/hasSensitivePersonalInformation",
+ compact="dataset_hasSensitivePersonalInformation",
+ )
+ # Describes what the given dataset should be used for.
+ cls._add_property(
+ "dataset_intendedUse",
+ StringProp(),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/intendedUse",
+ compact="dataset_intendedUse",
+ )
+ # Records the biases that the dataset is known to encompass.
+ cls._add_property(
+ "dataset_knownBias",
+ ListProp(StringProp()),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/knownBias",
+ compact="dataset_knownBias",
+ )
+ # Describes a sensor used for collecting the data.
+ cls._add_property(
+ "dataset_sensor",
+ ListProp(ObjectProp(DictionaryEntry, False)),
+ iri="https://spdx.org/rdf/3.0.0/terms/Dataset/sensor",
+ compact="dataset_sensor",
+ )
+
+
+"""Format Guard"""
+# fmt: on
+
+
+def main():
+ import argparse
+ from pathlib import Path
+
+ parser = argparse.ArgumentParser(description="Python SHACL model test")
+ parser.add_argument("infile", type=Path, help="Input file")
+ parser.add_argument("--print", action="store_true", help="Print object tree")
+ parser.add_argument("--outfile", type=Path, help="Output file")
+
+ args = parser.parse_args()
+
+ objectset = SHACLObjectSet()
+ with args.infile.open("r") as f:
+ d = JSONLDDeserializer()
+ d.read(f, objectset)
+
+ if args.print:
+ print_tree(objectset.objects)
+
+ if args.outfile:
+ with args.outfile.open("wb") as f:
+ s = JSONLDSerializer()
+ s.write(objectset, f)
+
+ return 0
+
+
+if __name__ == "__main__":
+ import sys
+
+ sys.exit(main())
Adds a class to generate SPDX 3.0 output. Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> --- meta/classes/create-spdx-3.0.bbclass | 1284 ++++++ meta/classes/spdx-common.bbclass | 25 +- meta/lib/oe/sbom30.py | 993 +++++ meta/lib/oe/spdx30.py | 5413 ++++++++++++++++++++++++++ 4 files changed, 7714 insertions(+), 1 deletion(-) create mode 100644 meta/classes/create-spdx-3.0.bbclass create mode 100644 meta/lib/oe/sbom30.py create mode 100644 meta/lib/oe/spdx30.py