From 39360b20be27ef345fc7a95acd342a3c9a491f67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Armin=20T=C3=A4nzer?= Date: Tue, 4 Jul 2023 08:32:48 +0200 Subject: [PATCH] update JSON-LD examples and add documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Armin Tänzer --- serialization/json_ld/EXAMPLES.md | 30 ++ serialization/json_ld/examples/agent1.json | 21 + .../json_ld/examples/annotation1.json | 18 + .../examples/converted_from_spdx_2.json | 438 ++++++++++++++++++ serialization/json_ld/examples/file1.json | 18 + serialization/json_ld/examples/org1.json | 14 + serialization/json_ld/examples/package.jsonld | 52 --- serialization/json_ld/examples/package1.json | 44 ++ serialization/json_ld/examples/person.jsonld | 28 -- serialization/json_ld/examples/person1.json | 21 + serialization/json_ld/examples/person2.json | 23 + serialization/json_ld/examples/person3.json | 13 + .../json_ld/examples/relationship1.json | 19 + serialization/json_ld/examples/sbom1.json | 21 + .../json_ld/examples/spdx_document.jsonld | 105 ----- .../json_ld/examples/spdx_document1.json | 21 + .../json_ld/examples/spdx_document2.json | 41 ++ .../json_ld/examples/spdx_document3.json | 52 +++ .../json_ld/examples/spdx_document4.json | 59 +++ serialization/json_ld/examples/tool1.json | 13 + serialization/json_ld/examples/two_sboms.json | 45 ++ serialization/rdf.md | 21 + 22 files changed, 932 insertions(+), 185 deletions(-) create mode 100644 serialization/json_ld/EXAMPLES.md create mode 100644 serialization/json_ld/examples/agent1.json create mode 100644 serialization/json_ld/examples/annotation1.json create mode 100644 serialization/json_ld/examples/converted_from_spdx_2.json create mode 100644 serialization/json_ld/examples/file1.json create mode 100644 serialization/json_ld/examples/org1.json delete mode 100644 serialization/json_ld/examples/package.jsonld create mode 100644 serialization/json_ld/examples/package1.json delete mode 100644 serialization/json_ld/examples/person.jsonld create mode 100644 serialization/json_ld/examples/person1.json create mode 100644 serialization/json_ld/examples/person2.json create mode 100644 serialization/json_ld/examples/person3.json create mode 100644 serialization/json_ld/examples/relationship1.json create mode 100644 serialization/json_ld/examples/sbom1.json delete mode 100644 serialization/json_ld/examples/spdx_document.jsonld create mode 100644 serialization/json_ld/examples/spdx_document1.json create mode 100644 serialization/json_ld/examples/spdx_document2.json create mode 100644 serialization/json_ld/examples/spdx_document3.json create mode 100644 serialization/json_ld/examples/spdx_document4.json create mode 100644 serialization/json_ld/examples/tool1.json create mode 100644 serialization/json_ld/examples/two_sboms.json diff --git a/serialization/json_ld/EXAMPLES.md b/serialization/json_ld/EXAMPLES.md new file mode 100644 index 000000000..80d4776ad --- /dev/null +++ b/serialization/json_ld/EXAMPLES.md @@ -0,0 +1,30 @@ +### Agents +- [Agent1](examples/agent1.json) +- [Person1 with minimal CreationInfo](examples/person1.json) +- [Person2 with full CreationInfo](examples/person2.json)) +- [Person3 with no CreationInfo](examples/person3.json) - does this even mean anything? +- [Organization1](examples/org1.json) +- [Tool1](examples/tool1.json) - not an Agent + +### Annotations +- [Annotation1](examples/annotation1.json) + +### Artifacts +- [Package1](examples/package1.json) +- [File1](examples/file1.json) + +### Relationships +- [Relationship1 with Package contains two Files](examples/spdx_document3.json) + +### Collections +- [Sbom1 with two Files](examples/sbom1.json) + +### Documents +- [SpdxDocument1 with two Files](examples/spdx_document1.json) +- [SpdxDocument2 with two Files](examples/spdx_document2.json) - all in the same payload +- [SpdxDocument3 with a Package that contains two Files](examples/spdx_document3.json) - all in the same payload +- [SpdxDocument4](examples/spdx_document4.json) - same as SpdxDocument3 but using the context to shorten URIs + +### Full examples +- [converted SPDX document from SPDX-2.3](examples/converted_from_spdx_2.json) - converted from [this file](https://github.com/spdx/spdx-spec/blob/development/v2.3.1/examples/SPDXJSONExample-v2.3.spdx.json) + diff --git a/serialization/json_ld/examples/agent1.json b/serialization/json_ld/examples/agent1.json new file mode 100644 index 000000000..d72032798 --- /dev/null +++ b/serialization/json_ld/examples/agent1.json @@ -0,0 +1,21 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Agent", + "spdxId": "https://some.namespace#agent1", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "John Smith", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "info@acme.com" + } + ] +} diff --git a/serialization/json_ld/examples/annotation1.json b/serialization/json_ld/examples/annotation1.json new file mode 100644 index 000000000..0abc11bf6 --- /dev/null +++ b/serialization/json_ld/examples/annotation1.json @@ -0,0 +1,18 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Annotation", + "spdxId": "http://spdx.acme.org/3FA9CB25#annotation34", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "Acme Corp. Super SBOM-o-lator", + "annotationType": "review", + "subject": "http://spdx.acme.org/3FA9CB25#person9", + "contentType": "text/plain", + "statement": "Keanu Reeves is back as cyberpunk icon Neo but fans of the original will find this cynical reboot a bitter pill to swallow." +} diff --git a/serialization/json_ld/examples/converted_from_spdx_2.json b/serialization/json_ld/examples/converted_from_spdx_2.json new file mode 100644 index 000000000..1982e0bfa --- /dev/null +++ b/serialization/json_ld/examples/converted_from_spdx_2.json @@ -0,0 +1,438 @@ +{ + "@context": [ + "https://spdx.github.io/spdx-3-model/rdf/context.json", + { + "spdx-example": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#" + } + ], + "@graph": [ + { + "type": "Tool", + "spdxId": "spdx-example:SPDXRef-Actor-LicenseFind-1.0", + "name": "LicenseFind-1.0" + }, + { + "type": "Organization", + "spdxId": "spdx-example:SPDXRef-Actor-ExampleCodeInspect", + "name": "ExampleCodeInspect" + }, + { + "type": "Person", + "spdxId": "spdx-example:SPDXRef-Actor-JaneDoe", + "name": "Jane Doe" + }, + { + "type": "SpdxDocument", + "spdxId": "spdx-example:SPDXRef-DOCUMENT", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2010-01-29T18:30:22Z", + "createdBy": [ + "spdx-example:SPDXRef-Actor-ExampleCodeInspect", + "spdx-example:SPDXRef-Actor-JaneDoe" + ], + "createdUsing": [ + "spdx-example:SPDXRef-Actor-LicenseFind-1.0" + ], + "profile": [ + "core", + "software", + "licensing" + ], + "dataLicense": "https://spdx.org/licenses/CC0-1.0", + "comment": "This is the SPDX-2.3 JSON example converted to SPDX-3.0. As there is currently no closure on how to treat licenses, they are omitted here for now." + }, + "name": "SPDX-Tools-v2.0", + "comment": "This document was created using SPDX 2.0 using licenses from the web site.", + "element": [ + "spdx-example:SPDXRef-Actor-LicenseFind-1.0", + "spdx-example:SPDXRef-Actor-ExampleCodeInspect", + "spdx-example:SPDXRef-Actor-JaneDoe", + "spdx-example:SPDXRef-Actor-JaneDoe-jane.doe@example.com", + "spdx-example:SPDXRef-Actor-ExampleCodeInspect-contact@example.com", + "spdx-example:SPDXRef-Package", + "spdx-example:SPDXRef-fromDoap-1", + "spdx-example:SPDXRef-fromDoap-0", + "spdx-example:SPDXRef-Saxon", + "spdx-example:SPDXRef-DoapSource", + "spdx-example:SPDXRef-CommonsLangSrc", + "spdx-example:SPDXRef-JenaLib", + "spdx-example:SPDXRef-Specification", + "spdx-example:SPDXRef-File", + "spdx-example:SPDXRef-Snippet", + "spdx-example:SPDXRef-Relationship-0", + "spdx-example:SPDXRef-Relationship-1", + "spdx-example:SPDXRef-Relationship-2", + "spdx-example:SPDXRef-Relationship-4", + "spdx-example:SPDXRef-Relationship-5", + "spdx-example:SPDXRef-Relationship-6", + "spdx-example:SPDXRef-Relationship-8", + "spdx-example:SPDXRef-Relationship-12", + "spdx-example:SPDXRef-Annotation-0", + "spdx-example:SPDXRef-Actor-JoeReviewer", + "spdx-example:SPDXRef-Annotation-1", + "spdx-example:SPDXRef-Actor-SuzanneReviewer", + "spdx-example:SPDXRef-Annotation-2", + "spdx-example:SPDXRef-Actor-PackageCommenter", + "spdx-example:SPDXRef-Annotation-3", + "spdx-example:SPDXRef-Actor-FileCommenter", + "spdx-example:SPDXRef-Annotation-4" + ], + "rootElement": [ + "spdx-example:SPDXRef-File", + "spdx-example:SPDXRef-Package" + ], + "namespaces": [ + { + "type": "NamespaceMap", + "prefix": "DocumentRef-spdx-tool-1.2", + "namespace": "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301#" + } + ], + "imports": [ + { + "type": "ExternalMap", + "externalId": "DocumentRef-spdx-tool-1.2:SPDXRef-DOCUMENT", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "d6a770ba38583ed4bb4525bd96e50461655d2759" + } + ] + } + ] + }, + { + "type": "Person", + "spdxId": "spdx-example:SPDXRef-Actor-JaneDoe-jane.doe@example.com", + "name": "Jane Doe", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "jane.doe@example.com" + } + ] + }, + { + "type": "Organization", + "spdxId": "spdx-example:SPDXRef-Actor-ExampleCodeInspect-contact@example.com", + "name": "ExampleCodeInspect", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "contact@example.com" + } + ] + }, + { + "type": "Package", + "spdxId": "spdx-example:SPDXRef-Package", + "name": "glibc", + "summary": "GNU C library.", + "description": "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "md5", + "hashValue": "624c1abb3664f4b35547e7c73864ad24" + }, + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + }, + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + }, + { + "type": "Hash", + "algorithm": "blake2B384", + "hashValue": "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706" + } + ], + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "cpe23", + "identifier": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*" + } + ], + "originatedBy": [ + "spdx-example:SPDXRef-Actor-ExampleCodeInspect-contact@example.com" + ], + "suppliedBy": [ + "spdx-example:SPDXRef-Actor-JaneDoe-jane.doe@example.com" + ], + "builtTime": "2011-01-29T18:30:22Z", + "releaseTime": "2012-01-29T18:30:22Z", + "validUntilTime": "2014-01-29T18:30:22Z", + "purpose": [ + "source" + ], + "copyrightText": "Copyright 2008-2010 John Smith", + "attributionText": "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually.", + "packageVersion": "2.11.1", + "downloadLocation": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "homepage": "http://ftp.gnu.org/gnu/glibc", + "sourceInfo": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git." + }, + { + "type": "Package", + "spdxId": "spdx-example:SPDXRef-fromDoap-1", + "name": "Apache Commons Lang", + "homepage": "http://commons.apache.org/proper/commons-lang/" + }, + { + "type": "Package", + "spdxId": "spdx-example:SPDXRef-fromDoap-0", + "name": "Jena", + "packageVersion": "3.12.0", + "downloadLocation": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "packageUrl": "pkg:maven/org.apache.jena/apache-jena@3.12.0", + "homepage": "http://www.openjena.org/" + }, + { + "type": "Package", + "spdxId": "spdx-example:SPDXRef-Saxon", + "name": "Saxon", + "description": "The Saxon package is a collection of tools for processing XML documents.", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + } + ], + "copyrightText": "Copyright Saxonica Ltd", + "packageVersion": "8.8", + "downloadLocation": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "homepage": "http://saxon.sourceforge.net/" + }, + { + "type": "File", + "spdxId": "spdx-example:SPDXRef-DoapSource", + "name": "./src/org/spdx/parser/DOAPProject.java", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } + ], + "copyrightText": "Copyright 2010, 2011 Source Auditor Inc." + }, + { + "type": "File", + "spdxId": "spdx-example:SPDXRef-CommonsLangSrc", + "name": "./lib-source/commons-lang3-3.1-sources.jar", + "comment": "This file is used by Jena", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "copyrightText": "Copyright 2001-2011 The Apache Software Foundation" + }, + { + "type": "File", + "spdxId": "spdx-example:SPDXRef-JenaLib", + "name": "./lib-source/jena-2.6.3-sources.jar", + "comment": "This file belongs to Jena", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP" + }, + { + "type": "File", + "spdxId": "spdx-example:SPDXRef-Specification", + "name": "./docs/myspec.pdf", + "comment": "Specification Documentation", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "fff4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ] + }, + { + "type": "File", + "spdxId": "spdx-example:SPDXRef-File", + "name": "./package/foo.c", + "comment": "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "type": "Hash", + "algorithm": "md5", + "hashValue": "624c1abb3664f4b35547e7c73864ad24" + } + ], + "copyrightText": "Copyright 2008-2010 John Smith" + }, + { + "type": "Snippet", + "spdxId": "spdx-example:SPDXRef-Snippet", + "name": "from linux kernel", + "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.", + "copyrightText": "Copyright 2008-2010 John Smith", + "byteRange": { + "begin": 310, + "end": 420 + }, + "lineRange": { + "begin": 5, + "end": 23 + } + }, + { + "type": "Relationship", + "spdxId": "spdx-example:SPDXRef-Relationship-0", + "from": "spdx-example:SPDXRef-DOCUMENT", + "to": [ + "spdx-example:SPDXRef-Package" + ], + "relationshipType": "contains" + }, + { + "type": "Relationship", + "spdxId": "spdx-example:SPDXRef-Relationship-1", + "from": "spdx-example:SPDXRef-DOCUMENT", + "to": [ + "spdx-example:DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement" + ], + "relationshipType": "copy" + }, + { + "type": "SoftwareDependencyRelationship", + "spdxId": "spdx-example:SPDXRef-Relationship-2", + "from": "spdx-example:SPDXRef-Package", + "to": [ + "spdx-example:SPDXRef-Saxon" + ], + "relationshipType": "dependsOn", + "softwareLinkage": "dynamic" + }, + { + "type": "Relationship", + "spdxId": "spdx-example:SPDXRef-Relationship-4", + "from": "spdx-example:SPDXRef-JenaLib", + "to": [ + "spdx-example:SPDXRef-Package" + ], + "relationshipType": "contains" + }, + { + "type": "Relationship", + "spdxId": "spdx-example:SPDXRef-Relationship-5", + "from": "spdx-example:SPDXRef-Specification", + "to": [ + "spdx-example:SPDXRef-fromDoap-0" + ], + "relationshipType": "specificationFor" + }, + { + "type": "Relationship", + "spdxId": "spdx-example:SPDXRef-Relationship-6", + "from": "spdx-example:SPDXRef-fromDoap-0", + "to": [ + "spdx-example:SPDXRef-File" + ], + "relationshipType": "generates" + }, + { + "type": "Relationship", + "spdxId": "spdx-example:SPDXRef-Relationship-8", + "from": "spdx-example:SPDXRef-DOCUMENT", + "to": [ + "spdx-example:SPDXRef-File", + "spdx-example:SPDXRef-Package" + ], + "relationshipType": "describes" + }, + { + "type": "Relationship", + "spdxId": "spdx-example:SPDXRef-Relationship-12", + "from": "spdx-example:SPDXRef-Package", + "to": [ + "spdx-example:SPDXRef-Specification", + "spdx-example:SPDXRef-CommonsLangSrc", + "spdx-example:SPDXRef-JenaLib", + "spdx-example:SPDXRef-DoapSource" + ], + "relationshipType": "contains" + }, + { + "type": "Annotation", + "spdxId": "spdx-example:SPDXRef-Annotation-0", + "annotationType": "other", + "subject": "spdx-example:SPDXRef-DOCUMENT", + "statement": "Document level annotation" + }, + { + "type": "Person", + "spdxId": "spdx-example:SPDXRef-Actor-JoeReviewer", + "name": "Joe Reviewer" + }, + { + "type": "Annotation", + "spdxId": "spdx-example:SPDXRef-Annotation-1", + "annotationType": "review", + "subject": "spdx-example:SPDXRef-DOCUMENT", + "statement": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses" + }, + { + "type": "Person", + "spdxId": "spdx-example:SPDXRef-Actor-SuzanneReviewer", + "name": "Suzanne Reviewer" + }, + { + "type": "Annotation", + "spdxId": "spdx-example:SPDXRef-Annotation-2", + "annotationType": "review", + "subject": "spdx-example:SPDXRef-DOCUMENT", + "statement": "Another example reviewer." + }, + { + "type": "Person", + "spdxId": "spdx-example:SPDXRef-Actor-PackageCommenter", + "name": "Package Commenter" + }, + { + "type": "Annotation", + "spdxId": "spdx-example:SPDXRef-Annotation-3", + "annotationType": "other", + "subject": "spdx-example:SPDXRef-Package", + "statement": "Package level annotation" + }, + { + "type": "Person", + "spdxId": "spdx-example:SPDXRef-Actor-FileCommenter", + "name": "File Commenter" + }, + { + "type": "Annotation", + "spdxId": "spdx-example:SPDXRef-Annotation-4", + "annotationType": "other", + "subject": "spdx-example:SPDXRef-File", + "statement": "File level annotation" + } + ] +} diff --git a/serialization/json_ld/examples/file1.json b/serialization/json_ld/examples/file1.json new file mode 100644 index 000000000..79ec085a1 --- /dev/null +++ b/serialization/json_ld/examples/file1.json @@ -0,0 +1,18 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "File", + "spdxId": "https://some.namespace#file1", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core", "software"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "model.png", + "contentType": "image/png", + "purpose": ["documentation"], + "contentIdentifier": "https://github.com/spdx/spdx-3-model/blob/main/model.png", + "originatedBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"] +} diff --git a/serialization/json_ld/examples/org1.json b/serialization/json_ld/examples/org1.json new file mode 100644 index 000000000..16fe567e0 --- /dev/null +++ b/serialization/json_ld/examples/org1.json @@ -0,0 +1,14 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Organization", + "spdxId": "https://spdx.dev/elements/3F26391C#spdx-dev", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "spdx.dev" +} diff --git a/serialization/json_ld/examples/package.jsonld b/serialization/json_ld/examples/package.jsonld deleted file mode 100644 index 5abf3da52..000000000 --- a/serialization/json_ld/examples/package.jsonld +++ /dev/null @@ -1,52 +0,0 @@ -{ - "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", - "@graph": [ - { - "@type": "Package", - "@id": "https://some.namespace#SPDXRef-Package", - "name": "packageName", - "creationInfo": { - "specVersion": "3.0.0", - "created": "2022-12-01T00:00:00", - "createdBy": [ - "https://some.namespace#SPDXRef-Actor-creatorName-some@mail.com" - ], - "profile": [ - "core", - "software" - ], - "dataLicense": "CC0-1.0" - }, - "summary": "packageSummary", - "description": "packageDescription", - "comment": "packageComment", - "verifiedUsing": [ - { - "@type": "Hash", - "algorithm": "sha1", - "hashValue": "71c4025dd9897b364f3ebbb42c484ff43d00791c" - }, - { - "@type": "Hash", - "algorithm": "sha256", - "hashValue": "fbea580d286bbbbb41314430d58ba887716a74d7134119c5307cdc9f0c7a4299" - } - ], - "originatedBy": "https://some.namespace#SPDXRef-Actor-creatorName-some@mail.com", - "packagePurpose": [ - "SOURCE" - ], - "packageUrl": "https://some.purl", - "externalReference": [ - { - "externalReferenceType": "support", - "locator": "https://support.com" - } - ], - "packageVersion": "12.2", - "downloadLocation": "https://download.com", - "homepage": "https://homepage.com", - "release_time": "2022-11-01T00:00:00" - } - ] -} diff --git a/serialization/json_ld/examples/package1.json b/serialization/json_ld/examples/package1.json new file mode 100644 index 000000000..975c7960a --- /dev/null +++ b/serialization/json_ld/examples/package1.json @@ -0,0 +1,44 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Package", + "spdxId": "https://some.namespace#SPDXRef-Package", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core", "software"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "packageName", + "summary": "packageSummary", + "description": "packageDescription", + "comment": "packageComment", + "packageVersion": "12.2", + "downloadLocation": "https://download.com", + "packageUrl": "https://some.purl", + "homepage": "https://homepage.com", + "purpose": ["source"], + "contentIdentifier": "urn:spdx.dev:pkg:123456789", + "originatedBy": ["https://some.namespace#SPDXRef-Agent-creatorName-some@mail.com"], + "suppliedBy": ["https://some.namespace#john_smith"], + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha1", + "hashValue": "71c4025dd9897b364f3ebbb42c484ff43d00791c" + }, + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "fbea580d286bbbbb41314430d58ba887716a74d7134119c5307cdc9f0c7a4299" + } + ], + "externalReference": [ + { + "type": "ExternalReference", + "externalReferenceType": "securityFix", + "locator": ["https://support.com"] + } + ] +} diff --git a/serialization/json_ld/examples/person.jsonld b/serialization/json_ld/examples/person.jsonld deleted file mode 100644 index 9bbabcb98..000000000 --- a/serialization/json_ld/examples/person.jsonld +++ /dev/null @@ -1,28 +0,0 @@ -{ - "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", - "@graph": [ - { - "@type": "Person", - "@id": "https://some.namespace#john_smith", - "creationInfo": { - "specVersion": "3.0.0", - "created": "2022-12-01T00:00:00", - "createdBy": [ - "https://some.namespace#john_smith" - ], - "profile": [ - "core" - ], - "dataLicense": "CC0-1.0" - }, - "name": "John Smith", - "externalIdentifier": [ - { - "@type": "ExternalIdentifier", - "externalIdentifierType": "email", - "identifier": "john@smith.com" - } - ] - } - ] -} diff --git a/serialization/json_ld/examples/person1.json b/serialization/json_ld/examples/person1.json new file mode 100644 index 000000000..67f3edb48 --- /dev/null +++ b/serialization/json_ld/examples/person1.json @@ -0,0 +1,21 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Person", + "spdxId": "https://some.namespace#john_smith", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "John Smith", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "john@smith.com" + } + ] +} diff --git a/serialization/json_ld/examples/person2.json b/serialization/json_ld/examples/person2.json new file mode 100644 index 000000000..69ddc0c14 --- /dev/null +++ b/serialization/json_ld/examples/person2.json @@ -0,0 +1,23 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Person", + "spdxId": "http://spdx.acme.org/3FA9CB25#person2", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "createdUsing": ["https://some.namespace#sbomolator_v2"], + "profile": ["core"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0", + "comment": "Source: payroll list, 20221130" + }, + "name": "Alice Stone", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "Alice.Stone@acme.com" + } + ] +} diff --git a/serialization/json_ld/examples/person3.json b/serialization/json_ld/examples/person3.json new file mode 100644 index 000000000..ec7098e12 --- /dev/null +++ b/serialization/json_ld/examples/person3.json @@ -0,0 +1,13 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Person", + "spdxId": "http://spdx.acme.org/3FA9CB25#person3", + "name": "Nigel Thornberry", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "nigel3@outlook.com" + } + ] +} diff --git a/serialization/json_ld/examples/relationship1.json b/serialization/json_ld/examples/relationship1.json new file mode 100644 index 000000000..5fd17e67d --- /dev/null +++ b/serialization/json_ld/examples/relationship1.json @@ -0,0 +1,19 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Relationship", + "spdxId": "https://some.namespace#relationship1", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "from": "https://some.namespace#SPDXRef-Package", + "to": [ + "https://some.namespace#file1", + "https://some.namespace#file2" + ], + "relationshipType": "contains" +} diff --git a/serialization/json_ld/examples/sbom1.json b/serialization/json_ld/examples/sbom1.json new file mode 100644 index 000000000..7c4cb1ffe --- /dev/null +++ b/serialization/json_ld/examples/sbom1.json @@ -0,0 +1,21 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Sbom", + "spdxId": "https://some.namespace#SBOM", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core", "software"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "sbomType": "TBD", + "element": [ + "https://some.namespace#File1", + "https://spdx.dev/elements/3F26391C#spdx-spec-v2.3" + ], + "rootElement": [ + "https://some.namespace#File1" + ] +} diff --git a/serialization/json_ld/examples/spdx_document.jsonld b/serialization/json_ld/examples/spdx_document.jsonld deleted file mode 100644 index f481bed8b..000000000 --- a/serialization/json_ld/examples/spdx_document.jsonld +++ /dev/null @@ -1,105 +0,0 @@ -{ - "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", - "@graph": [ - { - "@type": "Person", - "@id": "https://some.namespace#SPDXRef-Actor-creatorName-some@mail.com", - "creationInfo": { - "@id": "_a", - "specVersion": "3.0.0", - "created": "2022-12-01T00:00:00", - "createdBy": [ - "https://some.namespace#SPDXRef-Actor-creatorName-some@mail.com" - ], - "profile": [ - "core", - "software" - ], - "dataLicense": "CC0-1.0" - }, - "name": "creatorName", - "externalIdentifier": [ - { - "@type": "ExternalIdentifier", - "externalIdentifierType": "email", - "identifier": "some@mail.com" - } - ] - }, - { - "@type": "SpdxDocument", - "@id": "https://some.namespace#SPDXRef-DOCUMENT", - "creationInfo": "_a", - "name": "documentName", - "comment": "documentComment", - "elements": [ - "https://some.namespace#SPDXRef-DOCUMENT", - "https://some.namespace#SBOM", - "https://some.namespace#SPDXRef-Actor-creatorName-some@mail.com", - "https://some.namespace#SPDXRef-Package", - "https://some.namespace#SPDXRef-File", - "https://some.namespace#SPDXRef-Relationship-0", - "https://some.namespace#SPDXRef-Relationship-1" - ] - }, - { - "@type": "SBOM", - "@id": "https://some.namespace#SBOM", - "creationInfo": "_a", - "name": "SBOM", - "elements": [ - "https://some.namespace#SPDXRef-Package", - "https://some.namespace#SPDXRef-File" - ] - }, - { - "@type": "Package", - "@id": "https://some.namespace#SPDXRef-Package", - "name": "packageName", - "verifiedUsing": [ - { - "@type": "Hash", - "algorithm": "sha1", - "hashValue": "71c4025dd9897b364f3ebbb42c484ff43d00791c" - } - ], - "originatedBy": "https://some.namespace#SPDXRef-Actor-creatorName-some@mail.com", - "packagePurpose": [ - "SOURCE" - ], - "packageVersion": "12.2", - "downloadLocation": "https://download.com", - "homepage": "https://homepage.com" - }, - { - "@type": "File", - "@id": "https://some.namespace#SPDXRef-File", - "name": "./fileName.py", - "verifiedUsing": [ - { - "@type": "Hash", - "algorithm": "sha1", - "hashValue": "71c4025dd9897b364f3ebbb42c484ff43d00791c" - } - ] - }, - { - "@type": "Relationship", - "@id": "https://some.namespace#SPDXRef-Relationship-0", - "fromElement": "https://some.namespace#SPDXRef-DOCUMENT", - "to": [ - "https://some.namespace#SBOM" - ], - "relationshipType": "ancestor" - }, - { - "@type": "Relationship", - "@id": "https://some.namespace#SPDXRef-Relationship-1", - "fromElement": "https://some.namespace#SPDXRef-Package", - "to": [ - "https://some.namespace#SPDXRef-File" - ], - "relationshipType": "contains" - } - ] -} diff --git a/serialization/json_ld/examples/spdx_document1.json b/serialization/json_ld/examples/spdx_document1.json new file mode 100644 index 000000000..423623204 --- /dev/null +++ b/serialization/json_ld/examples/spdx_document1.json @@ -0,0 +1,21 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "SpdxDocument", + "spdxId": "http://spdx.acme.org/3FA9CB25#spdxdocument159", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core", "software"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "Doc 159 - two File elements", + "element": [ + "https://some.namespace#File1", + "https://spdx.dev/elements/3F26391C#spdx-spec-v2.3" + ], + "rootElement": [ + "https://some.namespace#File1" + ] +} diff --git a/serialization/json_ld/examples/spdx_document2.json b/serialization/json_ld/examples/spdx_document2.json new file mode 100644 index 000000000..cb01af1d8 --- /dev/null +++ b/serialization/json_ld/examples/spdx_document2.json @@ -0,0 +1,41 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "@graph": [ + { + "type": "SpdxDocument", + "spdxId": "http://spdx.acme.org/3FA9CB25#spdxdocument159", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core", "software"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "Doc 159 - two File elements", + "element": [ + "https://some.namespace#File1", + "https://spdx.dev/elements/3F26391C#spdx-spec-v2.3" + ], + "rootElement": [ + "https://some.namespace#File1" + ] + }, + { + "type": "File", + "spdxId": "https://some.namespace#file1", + "name": "model.png", + "contentType": "image/png", + "purpose": ["documentation"], + "contentIdentifier": "https://github.com/spdx/spdx-3-model/blob/main/model.png" + }, + { + "type": "File", + "spdxId": "https://spdx.dev/elements/3F26391C#spdx-spec-v2.3", + "name": "The Software Package Data Exchange® (SPDX®) Specification Version 2.3", + "contentType": "text/html", + "purpose": ["documentation"], + "contentIdentifier": "https://spdx.github.io/spdx-spec/v2.3/" + } + ] +} diff --git a/serialization/json_ld/examples/spdx_document3.json b/serialization/json_ld/examples/spdx_document3.json new file mode 100644 index 000000000..1cb3567af --- /dev/null +++ b/serialization/json_ld/examples/spdx_document3.json @@ -0,0 +1,52 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "@graph": [ + { + "type": "SpdxDocument", + "spdxId": "https://some.namespace#spdxdocument159", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core", "software"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "Doc 159 - two File elements", + "element": [ + "https://some.namespace#SPDXRef-Package", + "https://some.namespace#File1", + "https://spdx.dev/elements/3F26391C#spdx-spec-v2.3", + "https://some.namespace#relationship1" + ], + "rootElement": [ + "https://some.namespace#SPDXRef-Package" + ] + }, + { + "type": "Package", + "spdxId": "https://some.namespace#SPDXRef-Package", + "name": "packageName" + }, + { + "type": "File", + "spdxId": "https://some.namespace#file1", + "name": "file1" + }, + { + "type": "File", + "spdxId": "https://some.namespace#file2", + "name": "file2" + }, + { + "type": "Relationship", + "spdxId": "https://some.namespace#relationship1", + "from": "https://some.namespace#SPDXRef-Package", + "to": [ + "https://some.namespace#file1", + "https://some.namespace#file2" + ], + "relationshipType": "contains" + } + ] +} diff --git a/serialization/json_ld/examples/spdx_document4.json b/serialization/json_ld/examples/spdx_document4.json new file mode 100644 index 000000000..2a24f7173 --- /dev/null +++ b/serialization/json_ld/examples/spdx_document4.json @@ -0,0 +1,59 @@ +{ + "@context": [ + "https://spdx.github.io/spdx-3-model/rdf/context.json", + { + "myNamespace": "https://some.namespace#", + "spdxDev": "https://spdx.dev/elements/3F26391C#", + "spdxLicenses": "https://spdx.org/licenses/" + } + ], + "@graph": [ + { + "type": "SpdxDocument", + "spdxId": "myNamespace:spdxdocument159", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["spdxDev:spdx-dev"], + "profile": ["core", "software"], + "dataLicense": "spdxLicenses:CC0-1.0" + }, + "name": "Doc 159 - two File elements", + "element": [ + "myNamespace:SPDXRef-Package", + "myNamespace:File1", + "spdxDev:spdx-spec-v2.3", + "myNamespace:relationship1" + ], + "rootElement": [ + "myNamespace:SPDXRef-Package" + ] + }, + { + "type": "Package", + "spdxId": "myNamespace:SPDXRef-Package", + "name": "packageName" + }, + { + "type": "File", + "spdxId": "myNamespace:file1", + "name": "file1" + }, + { + "type": "File", + "spdxId": "myNamespace:file2", + "name": "file2" + }, + { + "type": "Relationship", + "spdxId": "myNamespace:relationship1", + "from": "myNamespace:SPDXRef-Package", + "to": [ + "myNamespace:file1", + "myNamespace:file2" + ], + "relationshipType": "contains" + } + ] +} diff --git a/serialization/json_ld/examples/tool1.json b/serialization/json_ld/examples/tool1.json new file mode 100644 index 000000000..04e5f2efe --- /dev/null +++ b/serialization/json_ld/examples/tool1.json @@ -0,0 +1,13 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "type": "Tool", + "spdxId": "https://some.namespace#sbomolator_v2", + "creationInfo": { + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://spdx.dev/elements/3F26391C#spdx-dev"], + "profile": ["core"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "Acme Corp. Super SBOM-o-lator" +} diff --git a/serialization/json_ld/examples/two_sboms.json b/serialization/json_ld/examples/two_sboms.json new file mode 100644 index 000000000..899d1db93 --- /dev/null +++ b/serialization/json_ld/examples/two_sboms.json @@ -0,0 +1,45 @@ +{ + "@context": "https://spdx.github.io/spdx-3-model/rdf/context.json", + "@graph": [ + { + "type": "Sbom", + "spdxId": "http://my_namespace.com/sbom1", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://my_namespace.com/creator1"], + "profile": ["core", "software"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "My SBOM", + "element": [ + "https://some.namespace#File1", + "https://my_namespace/my_file" + ], + "rootElement": [ + "https://some.namespace#File1" + ] + }, + { + "type": "Sbom", + "spdxId": "http://my_namespace.com/sbom2", + "creationInfo": { + "type": "CreationInfo", + "specVersion": "3.0.0", + "created": "2022-12-01T00:00:00", + "createdBy": ["https://my_namespace.com/creator1"], + "profile": ["core", "software"], + "dataLicense": "https://spdx.org/licenses/CC0-1.0" + }, + "name": "My other SBOM", + "element": [ + "https://some.namespace#File1", + "https://my_namespace/my_other_file" + ], + "rootElement": [ + "https://some.namespace#File1" + ] + } + ] +} diff --git a/serialization/rdf.md b/serialization/rdf.md index 77a45be02..c53a6225e 100644 --- a/serialization/rdf.md +++ b/serialization/rdf.md @@ -11,3 +11,24 @@ SPDX data can be serialized in RDF. This can be saved in a variety of formats, l 1. IRIs for an enumerated value are of the form: `http://spdx.org/rdf/v3/{Namespacename}/{Classname}/{Valuename}` +## JSON-LD +JSON-LD is a JSON-based format to encode RDF graphs. Its documentation can be found [here](https://www.w3.org/TR/json-ld11/). + +The SPDX organization provides a context file that is to be used universally for all SPDX JSON-LD files of a given SPDX version. +The context is available under https://spdx.github.io/spdx-3-model/rdf/context.json (TODO: update the URL as soon as the context is publicly available) +and should be included in serialized files on top-level via +```json +"@context": "https://spdx.github.io/spdx-3-model/rdf/context.json" +``` +Take special note that this context defines aliases for better compatibility with the SPDX model. +In particular, these are "spdxId" for "@id" and "type" for "@type". +Further custom namespace mapping can be included in the context in a separate object, see for example [here](json_ld/examples/spdx_document4.json). + +The RDF graph of an instance of the SPDX model shall contain all Element nodes (i.e. objects that are subclasses of Element) as a list on top-level under the "@graph" key. +This means that all references to Element nodes have to use the URI of the referenced Element. +Inlining/Embedding of Element nodes into other nodes is not allowed. +On the other hand, non-Element nodes (like those of type "ExternalReference" or similar complex data classes) have to be inlined (TODO: we may want to make an exception for CreationInfo, depending on the outcome of the surrounding discussion). + +An SPDX serialization in JSON-LD is considered valid if it validates against the OWL ontology which also includes SHACL shape restrictions. +The ontology is automatically generated from the [specification markdown files](https://github.com/spdx/spdx-3-model/tree/main/model) and can be found [here](https://github.com/spdx/spdx-3-model/blob/gh-pages/model.ttl). +The code that generates the ontology is located [here](https://github.com/spdx/spec-parser).