chore: Add YAML support for v2.3 data model

Signed-off-by: Keith Zantow <kzantow@gmail.com>

1 files changed, 412 insertions, 0 deletions

diff --git a/examples/sample-docs/yaml/SPDXYAMLExample-2.3.spdx.yaml b/examples/sample-docs/yaml/SPDXYAMLExample-2.3.spdx.yaml
new file mode 100644
index 0000000..611b74c
--- /dev/null
+++ b/examples/sample-docs/yaml/SPDXYAMLExample-2.3.spdx.yaml
@@ -0,0 +1,412 @@
+SPDXID: SPDXRef-DOCUMENT
+annotations:
+- annotationDate: "2010-01-29T18:30:22Z"
+  annotationType: OTHER
+  annotator: 'Person: Jane Doe ()'
+  comment: Document level annotation
+- annotationDate: "2010-02-10T00:00:00Z"
+  annotationType: REVIEW
+  annotator: 'Person: Joe Reviewer'
+  comment: This is just an example.  Some of the non-standard licenses look like they
+    are actually BSD 3 clause licenses
+- annotationDate: "2011-03-13T00:00:00Z"
+  annotationType: REVIEW
+  annotator: 'Person: Suzanne Reviewer'
+  comment: Another example reviewer.
+comment: This document was created using SPDX 2.0 using licenses from the web site.
+creationInfo:
+  comment: |-
+    This package has been shipped in source and binary form.
+    The binaries were created with gcc 4.5.1 and expect to link to
+    compatible system run time libraries.
+  created: "2010-01-29T18:30:22Z"
+  creators:
+  - 'Tool: LicenseFind-1.0'
+  - 'Organization: ExampleCodeInspect ()'
+  - 'Person: Jane Doe ()'
+  licenseListVersion: "3.9"
+dataLicense: CC0-1.0
+documentNamespace: http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
+externalDocumentRefs:
+- checksum:
+    algorithm: SHA1
+    checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759
+  externalDocumentId: DocumentRef-spdx-tool-1.2
+  spdxDocument: http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301
+files:
+- SPDXID: SPDXRef-DoapSource
+  checksums:
+  - algorithm: SHA1
+    checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
+  copyrightText: Copyright 2010, 2011 Source Auditor Inc.
+  fileContributors:
+  - Protecode Inc.
+  - SPDX Technical Team Members
+  - Open Logic Inc.
+  - Source Auditor Inc.
+  - Black Duck Software In.c
+  fileName: ./src/org/spdx/parser/DOAPProject.java
+  fileTypes:
+  - SOURCE
+  licenseConcluded: Apache-2.0
+  licenseInfoInFiles:
+  - Apache-2.0
+- SPDXID: SPDXRef-CommonsLangSrc
+  checksums:
+  - algorithm: SHA1
+    checksumValue: c2b4e1c67a2d28fced849ee1bb76e7391b93f125
+  comment: This file is used by Jena
+  copyrightText: Copyright 2001-2011 The Apache Software Foundation
+  fileContributors:
+  - Apache Software Foundation
+  fileName: ./lib-source/commons-lang3-3.1-sources.jar
+  fileTypes:
+  - ARCHIVE
+  licenseConcluded: Apache-2.0
+  licenseInfoInFiles:
+  - Apache-2.0
+  noticeText: |-
+    Apache Commons Lang
+    Copyright 2001-2011 The Apache Software Foundation
+
+    This product includes software developed by
+    The Apache Software Foundation (http://www.apache.org/).
+
+    This product includes software from the Spring Framework,
+    under the Apache License 2.0 (see: StringUtils.containsWhitespace())
+- SPDXID: SPDXRef-JenaLib
+  checksums:
+  - algorithm: SHA1
+    checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
+  comment: This file belongs to Jena
+  copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
+    2009 Hewlett-Packard Development Company, LP
+  fileContributors:
+  - Apache Software Foundation
+  - Hewlett Packard Inc.
+  fileName: ./lib-source/jena-2.6.3-sources.jar
+  fileTypes:
+  - ARCHIVE
+  licenseComments: This license is used by Jena
+  licenseConcluded: LicenseRef-1
+  licenseInfoInFiles:
+  - LicenseRef-1
+- SPDXID: SPDXRef-File
+  annotations:
+  - annotationDate: "2011-01-29T18:30:22Z"
+    annotationType: OTHER
+    annotator: 'Person: File Commenter'
+    comment: File level annotation
+  checksums:
+  - algorithm: SHA1
+    checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2758
+  - algorithm: MD5
+    checksumValue: 624c1abb3664f4b35547e7c73864ad24
+  comment: |-
+    The concluded license was taken from the package level that the file was included in.
+    This information was found in the COPYING.txt file in the xyz directory.
+  copyrightText: Copyright 2008-2010 John Smith
+  fileContributors:
+  - The Regents of the University of California
+  - Modified by Paul Mundt lethal@linux-sh.org
+  - IBM Corporation
+  fileName: ./package/foo.c
+  fileTypes:
+  - SOURCE
+  licenseComments: The concluded license was taken from the package level that the
+    file was included in.
+  licenseConcluded: (LGPL-2.0-only OR LicenseRef-2)
+  licenseInfoInFiles:
+  - GPL-2.0-only
+  - LicenseRef-2
+  noticeText: "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is
+    hereby granted, free of charge, to any person obtaining a copy of this software
+    and associated documentation files (the �Software�), to deal in the Software without
+    restriction, including without limitation the rights to use, copy, modify, merge,
+    publish, distribute, sublicense, and/or sell copies of the Software, and to permit
+    persons to whom the Software is furnished to do so, subject to the following conditions:
+    \nThe above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED �AS
+    IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
+    TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+    \ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+    DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+    ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+    IN THE SOFTWARE."
+hasExtractedLicensingInfos:
+- extractedText: |-
+    /*
+     * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP
+     * All rights reserved.
+     *
+     * Redistribution and use in source and binary forms, with or without
+     * modification, are permitted provided that the following conditions
+     * are met:
+     * 1. Redistributions of source code must retain the above copyright
+     *    notice, this list of conditions and the following disclaimer.
+     * 2. Redistributions in binary form must reproduce the above copyright
+     *    notice, this list of conditions and the following disclaimer in the
+     *    documentation and/or other materials provided with the distribution.
+     * 3. The name of the author may not be used to endorse or promote products
+     *    derived from this software without specific prior written permission.
+     *
+     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+    */
+  licenseId: LicenseRef-1
+- extractedText: "This package includes the GRDDL parser developed by Hewlett Packard
+    under the following license:\n� Copyright 2007 Hewlett-Packard Development Company,
+    LP\n\nRedistribution and use in source and binary forms, with or without modification,
+    are permitted provided that the following conditions are met: \n\nRedistributions
+    of source code must retain the above copyright notice, this list of conditions
+    and the following disclaimer. \nRedistributions in binary form must reproduce
+    the above copyright notice, this list of conditions and the following disclaimer
+    in the documentation and/or other materials provided with the distribution. \nThe
+    name of the author may not be used to endorse or promote products derived from
+    this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED
+    BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
+    NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+    PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+    INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+    BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+    OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+    OF THE POSSIBILITY OF SUCH DAMAGE."
+  licenseId: LicenseRef-2
+- extractedText: |-
+    /*
+     * (c) Copyright 2009 University of Bristol
+     * All rights reserved.
+     *
+     * Redistribution and use in source and binary forms, with or without
+     * modification, are permitted provided that the following conditions
+     * are met:
+     * 1. Redistributions of source code must retain the above copyright
+     *    notice, this list of conditions and the following disclaimer.
+     * 2. Redistributions in binary form must reproduce the above copyright
+     *    notice, this list of conditions and the following disclaimer in the
+     *    documentation and/or other materials provided with the distribution.
+     * 3. The name of the author may not be used to endorse or promote products
+     *    derived from this software without specific prior written permission.
+     *
+     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+    */
+  licenseId: LicenseRef-4
+- comment: The beerware license has a couple of other standard variants.
+  extractedText: |-
+    "THE BEER-WARE LICENSE" (Revision 42):
+    phk@FreeBSD.ORG wrote this file. As long as you retain this notice you
+    can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp
+  licenseId: LicenseRef-Beerware-4.2
+  name: Beer-Ware License (Version 42)
+  seeAlsos:
+  - http://people.freebsd.org/~phk/
+- comment: This is tye CyperNeko License
+  extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright
+    2002-2005, Andy Clark.  All rights reserved.\n \nRedistribution and use in source
+    and binary forms, with or without\nmodification, are permitted provided that the
+    following conditions\nare met:\n\n1. Redistributions of source code must retain
+    the above copyright\n   notice, this list of conditions and the following disclaimer.
+    \n\n2. Redistributions in binary form must reproduce the above copyright\n   notice,
+    this list of conditions and the following disclaimer in\n   the documentation
+    and/or other materials provided with the\n   distribution.\n\n3. The end-user
+    documentation included with the redistribution,\n   if any, must include the following
+    acknowledgment:  \n     \"This product includes software developed by Andy Clark.\"\n
+    \  Alternately, this acknowledgment may appear in the software itself,\n   if
+    and wherever such third-party acknowledgments normally appear.\n\n4. The names
+    \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n   or promote products
+    derived from this software without prior \n   written permission. For written
+    permission, please contact \n   andyc@cyberneko.net.\n\n5. Products derived from
+    this software may not be called \"CyberNeko\",\n   nor may \"CyberNeko\" appear
+    in their name, without prior written\n   permission of the author.\n\nTHIS SOFTWARE
+    IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT
+    NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+    PURPOSE ARE\nDISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE
+    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL
+    DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES;
+    LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND
+    ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+    \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
+  licenseId: LicenseRef-3
+  name: CyberNeko License
+  seeAlsos:
+  - http://people.apache.org/~andyc/neko/LICENSE
+  - http://justasample.url.com
+name: SPDX-Tools-v2.0
+packages:
+- SPDXID: SPDXRef-Package
+  annotations:
+  - annotationDate: "2011-01-29T18:30:22Z"
+    annotationType: OTHER
+    annotator: 'Person: Package Commenter'
+    comment: Package level annotation
+  attributionTexts:
+  - The GNU C Library is free software.  See the file COPYING.LIB for copying conditions,
+    and LICENSES for notices about a few contributions that require these additional
+    notices to be distributed.  License copyright years may be listed using range
+    notation, e.g., 1996-2015, indicating that every year in the range, inclusive,
+    is a copyrightable year that would otherwise be listed individually.
+  checksums:
+  - algorithm: MD5
+    checksumValue: 624c1abb3664f4b35547e7c73864ad24
+  - algorithm: SHA1
+    checksumValue: 85ed0817af83a24ad8da68c2b5094de69833983c
+  - algorithm: SHA256
+    checksumValue: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
+  copyrightText: Copyright 2008-2010 John Smith
+  description: The GNU C Library defines functions that are specified by the ISO C
+    standard, as well as additional features specific to POSIX and other derivatives
+    of the Unix operating system, and extensions specific to GNU systems.
+  downloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
+  externalRefs:
+  - comment: ""
+    referenceCategory: SECURITY
+    referenceLocator: cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*
+    referenceType: cpe23Type
+  - comment: This is the external ref for Acme
+    referenceCategory: OTHER
+    referenceLocator: acmecorp/acmenator/4.1.3-alpha
+    referenceType: http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge
+  filesAnalyzed: true
+  homepage: http://ftp.gnu.org/gnu/glibc
+  licenseComments: The license for this project changed with the release of version
+    x.y.  The version of the project included here post-dates the license change.
+  licenseConcluded: (LGPL-2.0-only OR LicenseRef-3)
+  licenseDeclared: (LGPL-2.0-only AND LicenseRef-3)
+  licenseInfoFromFiles:
+  - GPL-2.0-only
+  - LicenseRef-2
+  - LicenseRef-1
+  name: glibc
+  originator: 'Organization: ExampleCodeInspect (contact@example.com)'
+  packageFileName: glibc-2.11.1.tar.gz
+  packageVerificationCode:
+    packageVerificationCodeExcludedFiles:
+    - ./package.spdx
+    packageVerificationCodeValue: d6a770ba38583ed4bb4525bd96e50461655d2758
+  sourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.
+  summary: GNU C library.
+  supplier: 'Person: Jane Doe (jane.doe@example.com)'
+  versionInfo: 2.11.1
+- SPDXID: SPDXRef-fromDoap-1
+  copyrightText: NOASSERTION
+  downloadLocation: NOASSERTION
+  homepage: http://commons.apache.org/proper/commons-lang/
+  licenseConcluded: NOASSERTION
+  licenseDeclared: NOASSERTION
+  name: Apache Commons Lang
+- SPDXID: SPDXRef-fromDoap-0
+  copyrightText: NOASSERTION
+  downloadLocation: https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz
+  externalRefs:
+  - comment: ""
+    referenceCategory: PACKAGE_MANAGER
+    referenceLocator: pkg:maven/org.apache.jena/apache-jena@3.12.0
+    referenceType: purl
+  homepage: http://www.openjena.org/
+  licenseConcluded: NOASSERTION
+  licenseDeclared: NOASSERTION
+  name: Jena
+  versionInfo: 3.12.0
+- SPDXID: SPDXRef-Saxon
+  checksums:
+  - algorithm: SHA1
+    checksumValue: 85ed0817af83a24ad8da68c2b5094de69833983c
+  copyrightText: Copyright Saxonica Ltd
+  description: The Saxon package is a collection of tools for processing XML documents.
+  downloadLocation: https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download
+  homepage: http://saxon.sourceforge.net/
+  licenseComments: Other versions available for a commercial license
+  licenseConcluded: MPL-1.0
+  licenseDeclared: MPL-1.0
+  name: Saxon
+  packageFileName: saxonB-8.8.zip
+  versionInfo: "8.8"
+- SPDXID: SPDXRef-CentOS-7
+  builtDate: "2021-09-15T02:38:00Z"
+  copyrightText: NOASSERTION
+  description: The CentOS container used to run the application.
+  downloadLocation: NOASSERTION
+  homepage: https://www.centos.org/
+  name: centos
+  packageFileName: saxonB-8.8.zip
+  primaryPackagePurpose: CONTAINER
+  releaseDate: "2021-10-15T02:38:00Z"
+  validUntilDate: "2022-10-15T02:38:00Z"
+  versionInfo: centos7.9.2009
+relationships:
+- comment: A relationship comment
+  relatedSpdxElement: SPDXRef-Package
+  relationshipType: CONTAINS
+  spdxElementId: SPDXRef-DOCUMENT
+- relatedSpdxElement: DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement
+  relationshipType: COPY_OF
+  spdxElementId: SPDXRef-DOCUMENT
+- relatedSpdxElement: SPDXRef-File
+  relationshipType: DESCRIBES
+  spdxElementId: SPDXRef-DOCUMENT
+- relatedSpdxElement: SPDXRef-Package
+  relationshipType: DESCRIBES
+  spdxElementId: SPDXRef-DOCUMENT
+- relatedSpdxElement: SPDXRef-JenaLib
+  relationshipType: CONTAINS
+  spdxElementId: SPDXRef-Package
+- relatedSpdxElement: SPDXRef-Saxon
+  relationshipType: DYNAMIC_LINK
+  spdxElementId: SPDXRef-Package
+- relatedSpdxElement: NOASSERTION
+  relationshipType: GENERATED_FROM
+  spdxElementId: SPDXRef-CommonsLangSrc
+- relatedSpdxElement: SPDXRef-Package
+  relationshipType: CONTAINS
+  spdxElementId: SPDXRef-JenaLib
+- relatedSpdxElement: SPDXRef-fromDoap-0
+  relationshipType: GENERATED_FROM
+  spdxElementId: SPDXRef-File
+snippets:
+- SPDXID: SPDXRef-Snippet
+  comment: This snippet was identified as significant and highlighted in this Apache-2.0
+    file, when a commercial scanner identified it as being derived from file foo.c
+    in package xyz which is licensed under GPL-2.0.
+  copyrightText: Copyright 2008-2010 John Smith
+  licenseComments: The concluded license was taken from package xyz, from which the
+    snippet was copied into the current file. The concluded license information was
+    found in the COPYING.txt file in package xyz.
+  licenseConcluded: GPL-2.0-only
+  licenseInfoInSnippets:
+  - GPL-2.0-only
+  name: from linux kernel
+  ranges:
+  - endPointer:
+      offset: 420
+      reference: SPDXRef-DoapSource
+    startPointer:
+      offset: 310
+      reference: SPDXRef-DoapSource
+  - endPointer:
+      lineNumber: 23
+      reference: SPDXRef-DoapSource
+    startPointer:
+      lineNumber: 5
+      reference: SPDXRef-DoapSource
+  snippetFromFile: SPDXRef-DoapSource
+spdxVersion: SPDX-2.2