1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
|
// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
package spdx
// Package2_1 is a Package section of an SPDX Document for version 2.1 of the spec.
type Package2_1 struct {
// 3.1: Package Name
// Cardinality: mandatory, one
PackageName string
// 3.2: Package SPDX Identifier: "SPDXRef-[idstring]"
// Cardinality: mandatory, one
PackageSPDXIdentifier ElementID
// 3.3: Package Version
// Cardinality: optional, one
PackageVersion string
// 3.4: Package File Name
// Cardinality: optional, one
PackageFileName string
// 3.5: Package Supplier: may have single result for either Person or Organization,
// or NOASSERTION
// Cardinality: optional, one
PackageSupplierPerson string
PackageSupplierOrganization string
PackageSupplierNOASSERTION bool
// 3.6: Package Originator: may have single result for either Person or Organization,
// or NOASSERTION
// Cardinality: optional, one
PackageOriginatorPerson string
PackageOriginatorOrganization string
PackageOriginatorNOASSERTION bool
// 3.7: Package Download Location
// Cardinality: mandatory, one
PackageDownloadLocation string
// 3.8: FilesAnalyzed
// Cardinality: optional, one; default value is "true" if omitted
FilesAnalyzed bool
// NOT PART OF SPEC: did FilesAnalyzed tag appear?
IsFilesAnalyzedTagPresent bool
// 3.9: Package Verification Code
// Cardinality: mandatory, one if filesAnalyzed is true / omitted;
// zero (must be omitted) if filesAnalyzed is false
PackageVerificationCode string
// Spec also allows specifying a single file to exclude from the
// verification code algorithm; intended to enable exclusion of
// the SPDX document file itself.
PackageVerificationCodeExcludedFile string
// 3.10: Package Checksum: may have keys for SHA1, SHA256 and/or MD5
// Cardinality: optional, one or many
PackageChecksumSHA1 string
PackageChecksumSHA256 string
PackageChecksumMD5 string
// 3.11: Package Home Page
// Cardinality: optional, one
PackageHomePage string
// 3.12: Source Information
// Cardinality: optional, one
PackageSourceInfo string
// 3.13: Concluded License: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageLicenseConcluded string
// 3.14: All Licenses Info from Files: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one or many if filesAnalyzed is true / omitted;
// zero (must be omitted) if filesAnalyzed is false
PackageLicenseInfoFromFiles []string
// 3.15: Declared License: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageLicenseDeclared string
// 3.16: Comments on License
// Cardinality: optional, one
PackageLicenseComments string
// 3.17: Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageCopyrightText string
// 3.18: Package Summary Description
// Cardinality: optional, one
PackageSummary string
// 3.19: Package Detailed Description
// Cardinality: optional, one
PackageDescription string
// 3.20: Package Comment
// Cardinality: optional, one
PackageComment string
// 3.21: Package External Reference
// Cardinality: optional, one or many
PackageExternalReferences []*PackageExternalReference2_1
// 3.22: Package External Reference Comment
// Cardinality: conditional (optional, one) for each External Reference
// contained within PackageExternalReference2_1 struct, if present
// Files contained in this Package
Files map[ElementID]*File2_1
}
// PackageExternalReference2_1 is an External Reference to additional info
// about a Package, as defined in section 3.21 in version 2.1 of the spec.
type PackageExternalReference2_1 struct {
// category is "SECURITY", "PACKAGE-MANAGER" or "OTHER"
Category string
// type is an [idstring] as defined in Appendix VI;
// called RefType here due to "type" being a Golang keyword
RefType string
// locator is a unique string to access the package-specific
// info, metadata or content within the target location
Locator string
// 3.22: Package External Reference Comment
// Cardinality: conditional (optional, one) for each External Reference
ExternalRefComment string
}
// Package2_2 is a Package section of an SPDX Document for version 2.2 of the spec.
type Package2_2 struct {
// NOT PART OF SPEC
// flag: does this "package" contain files that were in fact "unpackaged",
// e.g. included directly in the Document without being in a Package?
IsUnpackaged bool
// 3.1: Package Name
// Cardinality: mandatory, one
PackageName string
// 3.2: Package SPDX Identifier: "SPDXRef-[idstring]"
// Cardinality: mandatory, one
PackageSPDXIdentifier ElementID
// 3.3: Package Version
// Cardinality: optional, one
PackageVersion string
// 3.4: Package File Name
// Cardinality: optional, one
PackageFileName string
// 3.5: Package Supplier: may have single result for either Person or Organization,
// or NOASSERTION
// Cardinality: optional, one
PackageSupplierPerson string
PackageSupplierOrganization string
PackageSupplierNOASSERTION bool
// 3.6: Package Originator: may have single result for either Person or Organization,
// or NOASSERTION
// Cardinality: optional, one
PackageOriginatorPerson string
PackageOriginatorOrganization string
PackageOriginatorNOASSERTION bool
// 3.7: Package Download Location
// Cardinality: mandatory, one
PackageDownloadLocation string
// 3.8: FilesAnalyzed
// Cardinality: optional, one; default value is "true" if omitted
FilesAnalyzed bool
// NOT PART OF SPEC: did FilesAnalyzed tag appear?
IsFilesAnalyzedTagPresent bool
// 3.9: Package Verification Code
// Cardinality: mandatory, one if filesAnalyzed is true / omitted;
// zero (must be omitted) if filesAnalyzed is false
PackageVerificationCode string
// Spec also allows specifying a single file to exclude from the
// verification code algorithm; intended to enable exclusion of
// the SPDX document file itself.
PackageVerificationCodeExcludedFile string
// 3.10: Package Checksum: may have keys for SHA1, SHA256 and/or MD5
// Cardinality: optional, one or many
// PackageChecksumSHA1 string
// PackageChecksumSHA256 string
// PackageChecksumMD5 string
PackageChecksums map[ChecksumAlgorithm2_2]Checksum2_2
// 3.11: Package Home Page
// Cardinality: optional, one
PackageHomePage string
// 3.12: Source Information
// Cardinality: optional, one
PackageSourceInfo string
// 3.13: Concluded License: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageLicenseConcluded string
// 3.14: All Licenses Info from Files: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one or many if filesAnalyzed is true / omitted;
// zero (must be omitted) if filesAnalyzed is false
PackageLicenseInfoFromFiles []string
// 3.15: Declared License: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageLicenseDeclared string
// 3.16: Comments on License
// Cardinality: optional, one
PackageLicenseComments string
// 3.17: Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageCopyrightText string
// 3.18: Package Summary Description
// Cardinality: optional, one
PackageSummary string
// 3.19: Package Detailed Description
// Cardinality: optional, one
PackageDescription string
// 3.20: Package Comment
// Cardinality: optional, one
PackageComment string
// 3.21: Package External Reference
// Cardinality: optional, one or many
PackageExternalReferences []*PackageExternalReference2_2
// 3.22: Package External Reference Comment
// Cardinality: conditional (optional, one) for each External Reference
// contained within PackageExternalReference2_1 struct, if present
// 3.23: Package Attribution Text
// Cardinality: optional, one or many
PackageAttributionTexts []string
// Files contained in this Package
Files map[ElementID]*File2_2
}
// PackageExternalReference2_2 is an External Reference to additional info
// about a Package, as defined in section 3.21 in version 2.2 of the spec.
type PackageExternalReference2_2 struct {
// category is "SECURITY", "PACKAGE-MANAGER", "PERSISTENT-ID" or "OTHER"
Category string
// type is an [idstring] as defined in Appendix VI;
// called RefType here due to "type" being a Golang keyword
RefType string
// locator is a unique string to access the package-specific
// info, metadata or content within the target location
Locator string
// 3.22: Package External Reference Comment
// Cardinality: conditional (optional, one) for each External Reference
ExternalRefComment string
}
|
