「 网络安全常用术语解读 」SBOM主流格式SPDX详解

news2024/12/29 9:06:13

SPDX(System Package Data Exchange)格式是一种用于描述软件组件(如源代码)的规范,它提供了一种标准化的方法来描述软件组件的元数据,包括其许可证、依赖项和其他属性。SPDX最初由Linux基金会于2010年发起,是一个跨行业的合作项目,旨在促进软件供应链的透明度和合规性。本文将介绍SPDX格式的背景、应用现状及主要内容。

在这里插入图片描述

1. 背景

SPDX(System Package Data Exchange)格式的诞生源于对软件许可证的标准化和管理的需求。在开源和共享软件开发环境中,许可证是一个重要的元素,它规定了软件的使用和修改限制。然而,不同的开源项目可能使用不同的许可证,这导致了许可证管理的问题。为了解决这个问题,SPDX 格式应运而生,它提供了一种标准化的方法来描述软件许可证以及其他元数据,如版本控制信息、依赖项等。

2. 应用现状

SPDX格式在开源和共享软件开发环境中得到了广泛的应用。许多开源项目使用SPDX格式来描述其软件组件的许可证和其他元数据。SPDX格式还被用于自动化工具中,如代码审查工具、许可证管理工具和版本控制工具,这些工具可以自动解析SPDX描述文档,从而提高了工作效率和准确性。

SPDX规范被公认为安全性、许可证合规性和其他软件供应链工件的国际开放标准,如ISO/IEC 5962:2021

SPDX格式还被应用于教育领域。一些教育机构和开源组织将SPDX格式用于教育目的,为学生提供关于软件许可证管理和软件组件元数据的知识。通过使用SPDX格式,学生可以更好地理解开源软件的世界,并学会如何使用标准化的方法来描述和管理软件组件。

3. 版本发展历史

  • 2023/05:发布了新的安全、构建、数据和人工智能配置文件的 SPDX 3.0-rc1。
  • 2022/08:发布SPDX 2.3,以提高与其他格式的互操作性。
  • 2015/05:SPDX 2.0 规范增加了处理多个包、包和文件之间的关系以及注释的能力。
  • 2013/10:SPDX 1.2 规范–改进了与许可证列表的交互,增加了用于记录项目信息的字段。
  • 2011/08:SPDX 1.0 规范处理封装。
  • 2010/02:规范起草工作开始于Linux基金会下属的 FOSSBazaar 工作组,该工作组后来被称为“SPDX”,最初被称为Package Facts。

4. 主要内容

在SPDX格式中,每个元素都有其特定的标签和结构,以便于自动解析和解析。此外,SPDX格式还提供了一种标准化的方法来组织这些元素,使其易于理解和使用。

SPDX格式的主要内容包括许可证、版本控制、依赖项和其他元数据:

  • 软件包信息:记录软件包的基本信息,如名称、版本号、描述等。
  • 许可证信息:详细描述软件包使用的许可证类型及相关要求。这有助于组织遵守不同许可证的规定,确保合规性。
  • 文件级别信息:列出软件包中每个文件的信息,包括文件名、路径、大小等。这有助于识别和跟踪软件组件,管理依赖关系。
  • 依赖关系:记录软件包与其他软件包之间的依赖关系,包括版本要求、兼容性等。这有助于评估软件包的稳定性和安全性。
  • 补丁信息:记录软件包中的补丁信息,包括修复的漏洞、安全更新等。这有助于了解软件包的安全状况。
  • 元数据:包括创建SPDX文档的时间、作者信息等元数据,有助于跟踪和管理SPDX文档的来源和历史。
  • 其他元数据:SPDX格式还包含其他元数据,如许可协议、版权声明、技术规范和文档链接等。

SPDX JSON 格式完整样例:

{
  "SPDXID" : "SPDXRef-DOCUMENT",
  "spdxVersion" : "SPDX-2.3",
  "creationInfo" : {
    "comment" : "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.",
    "created" : "2010-01-29T18:30:22Z",
    "creators" : [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ],
    "licenseListVersion" : "3.17"
  },
  "name" : "SPDX-Tools-v2.0",
  "dataLicense" : "CC0-1.0",
  "comment" : "This document was created using SPDX 2.0 using licenses from the web site.",
  "externalDocumentRefs" : [ {
    "externalDocumentId" : "DocumentRef-spdx-tool-1.2",
    "checksum" : {
      "algorithm" : "SHA1",
      "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2759"
    },
    "spdxDocument" : "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301"
  } ],
  "hasExtractedLicensingInfos" : [ {
    "licenseId" : "LicenseRef-1",
    "extractedText" : "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n *    notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n *    notice, this list of conditions and the following disclaimer in the\n *    documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n *    derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
  }, {
    "licenseId" : "LicenseRef-2",
    "extractedText" : "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n© Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
  }, {
    "licenseId" : "LicenseRef-4",
    "extractedText" : "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n *    notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n *    notice, this list of conditions and the following disclaimer in the\n *    documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n *    derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
  }, {
    "licenseId" : "LicenseRef-Beerware-4.2",
    "comment" : "The beerware license has a couple of other standard variants.",
    "extractedText" : "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp",
    "name" : "Beer-Ware License (Version 42)",
    "seeAlsos" : [ "http://people.freebsd.org/~phk/" ]
  }, {
    "licenseId" : "LicenseRef-3",
    "comment" : "This is tye CyperNeko License",
    "extractedText" : "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark.  All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n   notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n   notice, this list of conditions and the following disclaimer in\n   the documentation and/or other materials provided with the\n   distribution.\n\n3. The end-user documentation included with the redistribution,\n   if any, must include the following acknowledgment:  \n     \"This product includes software developed by Andy Clark.\"\n   Alternately, this acknowledgment may appear in the software itself,\n   if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n   or promote products derived from this software without prior \n   written permission. For written permission, please contact \n   andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n   nor may \"CyberNeko\" appear in their name, without prior written\n   permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
    "name" : "CyberNeko License",
    "seeAlsos" : [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ]
  } ],
  "annotations" : [ {
    "annotationDate" : "2010-01-29T18:30:22Z",
    "annotationType" : "OTHER",
    "annotator" : "Person: Jane Doe ()",
    "comment" : "Document level annotation"
  }, {
    "annotationDate" : "2010-02-10T00:00:00Z",
    "annotationType" : "REVIEW",
    "annotator" : "Person: Joe Reviewer",
    "comment" : "This is just an example.  Some of the non-standard licenses look like they are actually BSD 3 clause licenses"
  }, {
    "annotationDate" : "2011-03-13T00:00:00Z",
    "annotationType" : "REVIEW",
    "annotator" : "Person: Suzanne Reviewer",
    "comment" : "Another example reviewer."
  } ],
  "documentDescribes" : [ "SPDXRef-File", "SPDXRef-Package" ],
  "documentNamespace" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
  "packages" : [ {
    "SPDXID" : "SPDXRef-Package",
    "annotations" : [ {
      "annotationDate" : "2011-01-29T18:30:22Z",
      "annotationType" : "OTHER",
      "annotator" : "Person: Package Commenter",
      "comment" : "Package level annotation"
    } ],
    "attributionTexts" : [ "The GNU C Library is free software.  See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed.  License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ],
    "builtDate" : "2011-01-29T18:30:22Z",
    "checksums" : [ {
      "algorithm" : "MD5",
      "checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
    }, {
      "algorithm" : "SHA1",
      "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
    }, {
      "algorithm" : "SHA256",
      "checksumValue" : "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd"
    }, {
      "algorithm" : "BLAKE2b-384",
      "checksumValue" : "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706"
    } ],
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "description" : "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.",
    "downloadLocation" : "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
    "externalRefs" : [ {
      "referenceCategory" : "SECURITY",
      "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
      "referenceType" : "cpe23Type"
    }, {
      "comment" : "This is the external ref for Acme",
      "referenceCategory" : "OTHER",
      "referenceLocator" : "acmecorp/acmenator/4.1.3-alpha",
      "referenceType" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge"
    } ],
    "filesAnalyzed" : true,
    "homepage" : "http://ftp.gnu.org/gnu/glibc",
    "licenseComments" : "The license for this project changed with the release of version x.y.  The version of the project included here post-dates the license change.",
    "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-3)",
    "licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
    "licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
    "name" : "glibc",
    "originator" : "Organization: ExampleCodeInspect (contact@example.com)",
    "packageFileName" : "glibc-2.11.1.tar.gz",
    "packageVerificationCode" : {
      "packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
      "packageVerificationCodeValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
    },
    "primaryPackagePurpose" : "SOURCE",
    "hasFiles" : [ "SPDXRef-Specification", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ],
    "releaseDate" : "2012-01-29T18:30:22Z",
    "sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.",
    "summary" : "GNU C library.",
    "supplier" : "Person: Jane Doe (jane.doe@example.com)",
    "validUntilDate" : "2014-01-29T18:30:22Z",
    "versionInfo" : "2.11.1"
  }, {
    "SPDXID" : "SPDXRef-fromDoap-1",
    "copyrightText" : "NOASSERTION",
    "downloadLocation" : "NOASSERTION",
    "filesAnalyzed" : false,
    "homepage" : "http://commons.apache.org/proper/commons-lang/",
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "NOASSERTION",
    "name" : "Apache Commons Lang"
  }, {
    "SPDXID" : "SPDXRef-fromDoap-0",
    "downloadLocation" : "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz",
    "externalRefs" : [ {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:maven/org.apache.jena/apache-jena@3.12.0",
      "referenceType" : "purl"
    } ],
    "filesAnalyzed" : false,
    "homepage" : "http://www.openjena.org/",
    "name" : "Jena",
    "versionInfo" : "3.12.0"
  }, {
    "SPDXID" : "SPDXRef-Saxon",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
    } ],
    "copyrightText" : "Copyright Saxonica Ltd",
    "description" : "The Saxon package is a collection of tools for processing XML documents.",
    "downloadLocation" : "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
    "filesAnalyzed" : false,
    "homepage" : "http://saxon.sourceforge.net/",
    "licenseComments" : "Other versions available for a commercial license",
    "licenseConcluded" : "MPL-1.0",
    "licenseDeclared" : "MPL-1.0",
    "name" : "Saxon",
    "packageFileName" : "saxonB-8.8.zip",
    "versionInfo" : "8.8"
  } ],
  "files" : [ {
    "SPDXID" : "SPDXRef-DoapSource",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
    } ],
    "copyrightText" : "Copyright 2010, 2011 Source Auditor Inc.",
    "fileContributors" : [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ],
    "fileName" : "./src/org/spdx/parser/DOAPProject.java",
    "fileTypes" : [ "SOURCE" ],
    "licenseConcluded" : "Apache-2.0",
    "licenseInfoInFiles" : [ "Apache-2.0" ]
  }, {
    "SPDXID" : "SPDXRef-CommonsLangSrc",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "c2b4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "This file is used by Jena",
    "copyrightText" : "Copyright 2001-2011 The Apache Software Foundation",
    "fileContributors" : [ "Apache Software Foundation" ],
    "fileName" : "./lib-source/commons-lang3-3.1-sources.jar",
    "fileTypes" : [ "ARCHIVE" ],
    "licenseConcluded" : "Apache-2.0",
    "licenseInfoInFiles" : [ "Apache-2.0" ],
    "noticeText" : "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())"
  }, {
    "SPDXID" : "SPDXRef-JenaLib",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "3ab4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "This file belongs to Jena",
    "copyrightText" : "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
    "fileContributors" : [ "Apache Software Foundation", "Hewlett Packard Inc." ],
    "fileName" : "./lib-source/jena-2.6.3-sources.jar",
    "fileTypes" : [ "ARCHIVE" ],
    "licenseComments" : "This license is used by Jena",
    "licenseConcluded" : "LicenseRef-1",
    "licenseInfoInFiles" : [ "LicenseRef-1" ]
  }, {
    "SPDXID" : "SPDXRef-Specification",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "fff4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "Specification Documentation",
    "fileName" : "./docs/myspec.pdf",
    "fileTypes" : [ "DOCUMENTATION" ]
  }, {
    "SPDXID" : "SPDXRef-File",
    "annotations" : [ {
      "annotationDate" : "2011-01-29T18:30:22Z",
      "annotationType" : "OTHER",
      "annotator" : "Person: File Commenter",
      "comment" : "File level annotation"
    } ],
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
    }, {
      "algorithm" : "MD5",
      "checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
    } ],
    "comment" : "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.",
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "fileContributors" : [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ],
    "fileName" : "./package/foo.c",
    "fileTypes" : [ "SOURCE" ],
    "licenseComments" : "The concluded license was taken from the package level that the file was included in.",
    "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-2)",
    "licenseInfoInFiles" : [ "GPL-2.0-only", "LicenseRef-2" ],
    "noticeText" : "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
  } ],
  "snippets" : [ {
    "SPDXID" : "SPDXRef-Snippet",
    "comment" : "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.",
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "licenseComments" : "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
    "licenseConcluded" : "GPL-2.0-only",
    "licenseInfoInSnippets" : [ "GPL-2.0-only" ],
    "name" : "from linux kernel",
    "ranges" : [ {
      "endPointer" : {
        "offset" : 420,
        "reference" : "SPDXRef-DoapSource"
      },
      "startPointer" : {
        "offset" : 310,
        "reference" : "SPDXRef-DoapSource"
      }
    }, {
      "endPointer" : {
        "lineNumber" : 23,
        "reference" : "SPDXRef-DoapSource"
      },
      "startPointer" : {
        "lineNumber" : 5,
        "reference" : "SPDXRef-DoapSource"
      }
    } ],
    "snippetFromFile" : "SPDXRef-DoapSource"
  } ],
  "relationships" : [ {
    "spdxElementId" : "SPDXRef-DOCUMENT",
    "relationshipType" : "CONTAINS",
    "relatedSpdxElement" : "SPDXRef-Package"
  }, {
    "spdxElementId" : "SPDXRef-DOCUMENT",
    "relationshipType" : "COPY_OF",
    "relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement"
  }, {
    "spdxElementId" : "SPDXRef-Package",
    "relationshipType" : "DYNAMIC_LINK",
    "relatedSpdxElement" : "SPDXRef-Saxon"
  }, {
    "spdxElementId" : "SPDXRef-CommonsLangSrc",
    "relationshipType" : "GENERATED_FROM",
    "relatedSpdxElement" : "NOASSERTION"
  }, {
    "spdxElementId" : "SPDXRef-JenaLib",
    "relationshipType" : "CONTAINS",
    "relatedSpdxElement" : "SPDXRef-Package"
  }, {
    "spdxElementId" : "SPDXRef-Specification",
    "relationshipType" : "SPECIFICATION_FOR",
    "relatedSpdxElement" : "SPDXRef-fromDoap-0"
  }, {
    "spdxElementId" : "SPDXRef-File",
    "relationshipType" : "GENERATED_FROM",
    "relatedSpdxElement" : "SPDXRef-fromDoap-0"
  } ]
}

若想了解更多 SPDX 格式的规范细节,可参阅官方最新文档 The System Package Data Exchange® (SPDX®) Specification Version 3.0.pdf (访问密码: 6277)。

5. 辅助工具

SPDX 官方提供了一些辅助工具,包含在线工具、开源工具及商用工具,可以提供 SPDX 格式文档的校验、转换、对比、生成及解析等功能。
在这里插入图片描述

6. 总结

SPDX格式是一种用于描述软件组件的规范,提供了一种标准化的方法来描述软件组件的元数据,包括其许可证、依赖项和其他属性。随着开源和共享软件开发环境的普及,SPDX格式得到了广泛的应用。

通过SPDX格式,组织可以更好地了解和管理软件供应链,降低合规风险,提高软件质量,加强安全性。SPDX作为一个开放的标准格式,为软件行业的合作和创新提供了重要的基础。

7. 参考

[1] https://spdx.dev/
[2] SPDXJSONExample-v2.3.spdx.json
[3] https://spdx.dev/use/specifications/


推荐阅读:

  • 「 网络安全常用术语解读 」漏洞利用交换VEX详解
  • 「 网络安全常用术语解读 」软件成分分析SCA详解:从发展背景到技术原理再到业界常用检测工具推荐
  • 「 网络安全常用术语解读 」什么是0day、1day、nday漏洞
  • 「 网络安全常用术语解读 」软件物料清单SBOM详解
  • 「 网络安全常用术语解读 」杀链Kill Chain详解
  • 「 网络安全术语解读 」点击劫持Clickjacking详解
  • 「 网络安全术语解读 」悬空标记注入详解
  • 「 网络安全术语解读 」内容安全策略CSP详解
  • 「 网络安全常用术语解读 」同源策略SOP详解
  • 「 网络安全术语解读 」静态分析结果交换格式SARIF详解
  • 「 网络安全常用术语解读 」安全自动化协议SCAP详解
  • 「 网络安全术语解读 」通用平台枚举CPE详解
  • 「 网络安全常用术语解读 」通用缺陷枚举CWE详解
  • 「 网络安全常用术语解读 」通用漏洞披露CVE详解
  • 「 网络安全常用术语解读 」通用漏洞评分系统CVSS详解
  • 「 网络安全常用术语解读 」漏洞利用交换VEX详解
  • 「 网络安全常用术语解读 」软件成分分析SCA详解:从发展背景到技术原理再到业界常用检测工具推荐
  • 「 网络安全术语解读 」通用攻击模式枚举和分类CAPEC详解
  • 「 网络安全常用术语解读 」网络攻击者的战术、技术和常识知识库ATT&CK详解

在这里插入图片描述

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1621968.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

vue 实现左侧导航栏,右侧锚点定位滚动到指定位置(超简单方法)

项目截图: 实现方法: 点击左侧菜单根据元素id定位到可视内容区域。 浏览器原生提供了一种方法scrollIntoView 。 通过scrollIntoView方法可以把元素滚动到可视区域内。 behavior: "smooth"是指定滚动方式为平滑效果。 具体代码如下&#xf…

linux安装MySQL8.0,密码修改权限配置等常规操作详解

✨✨ 欢迎大家来到景天科技苑✨✨ 🎈🎈 养成好习惯,先赞后看哦~🎈🎈 🏆 作者简介:景天科技苑 🏆《头衔》:大厂架构师,华为云开发者社区专家博主,…

【一刷剑指Offer】面试题 8:旋转数组的最小数字

力扣对应题目链接:154. 寻找旋转排序数组中的最小值 II - 力扣(LeetCode) 牛客对应题目链接: 旋转数组的最小数字_牛客题霸_牛客网 (nowcoder.com) 核心考点 :数组理解,二分查找,临界条件。 一…

Ajax和axios基础

AJAX Asynchronous JavaScript And XML 异步的JavaScript和XML 作用 数据交换: 通过Ajax可以给服务器发送请求,服务器将数据直接响应回给浏览器. 异步交互: 可以在不重新加载整个页面的情况下,与服务器交换数据并更新部分网页的技术. 同步和异步 同步发送请求: 浏览器发…

基于单片机的羽毛球计分器(含proteus仿真和程序)

目录 完整文本及仿真、程序可私信我获取 前言 第一章 设计任务及方案 1.1 设计任务 1.2 总体设计分析 1.3 功能模块方案设计 1.4 方案确定 第二章、硬件设计 2.1 AT89C51 单片机芯片介绍 2.1.1 主要特性 2.1.2 管脚说明 2.1.3 元件清单 2.2 电路介绍 2…

黑马微服务课程2

课程地址:2024最新SpringCloud微服务开发与实战,java黑马商城项目微服务实战开发(涵盖MybatisPlus、Docker、MQ、ES、Redis高级等)_哔哩哔哩_bilibili 课程名称:2024最新SpringCloud微服务开发与实战,java…

《数据密集型应用系统设计》笔记——第一部分 数据系统基础(ch1-4)

写在前面:对DDIA这本书慕名已久,粗看书里的一些知识都或多或少了解,但仔细阅读下来,还是缺少对细节的认识。目前看了四个章节,这本书一直在围绕两个问题:是什么和为什么,来做阐述,针…

AI大模型探索之路-训练篇3:大语言模型全景解读

文章目录 前言一、语言模型发展历程1. 第一阶段:统计语言模型(Statistical Language Model, SLM)2. 第二阶段:神经语言模型(Neural Language Model, NLM)3. 第三阶段:预训练语言模型&#xff08…

【高阶数据结构】B树 {B树的概念;B树的实现:节点设计,查找,插入,遍历,删除;B树的性能分析;B+树和B*树;B树的应用}

一、常见的搜索结构 以上结构适合用于数据量相对不是很大,能够一次性存放在内存中,进行数据查找的场景。如果数据量很大,比如有100G数据,无法一次放进内存中,那就只能放在磁盘上了,如果放在磁盘上&#xff…

Maven多模块快速升级超好用Idea插件-MPVP

功能:多模块maven项目快速升级指定版本插件,并提供预览和相关升级模块日志能力。 可快速进行版本升级,进行部署到Maven仓库。 安装: 可在idea插件中心进行安装 / 下载资源拖动安装 MPVP(Maven) - IntelliJ IDEs Plugin | Marke…

IPv4 NAT(含Cisco配置)

IPv4 NAT(含Cisco配置) IPv4私有空间地址 类RFC 1918 内部地址范围前缀A10.0.0.0 - 10.255.255.25510.0.0.0/8B172.16.0.0 - 172.31.255.255172.16.0.0/12C192.168.0.0 - 192.168.255.255192.168.0.0/16 这些私有地址可在企业或站点内使用&#xff0c…

【第35天】SQL进阶-SQL高级技巧-透视表(SQL 小虚竹)

回城传送–》《100天精通MYSQL从入门到就业》 文章目录 零、前言一、练习题目二、SQL思路初始化数据什么是透视表实战体验 三、总结四、参考 零、前言 今天是学习 SQL 打卡的第 35 天。 ​ 我的学习策略很简单,题海策略 费曼学习法。如果能把这些题都认认真真自己…

网络安全-Diffie Hellman密钥协商

密钥协商是保密通信双方(或更多方)通过公开信道来共同形成密钥的过程。一个密钥协商方案中,密钥的值是某个函数值,其输入量由两个成员(或更多方)来提供。密钥协商的记过是参与协商的双方(或更多…

消息服务应用1——java项目使用websocket

在当前微服务项目中,由于业务模块众多,消息服务的使用场景变得异常活跃。而WebSocket由于其自身的可靠性强,实时性好,带宽占用更小的优势,在实时通讯应用场景中独占鳌头,加上HTML5标准的普及流行&#xff0…

MultiHeadAttention在Tensorflow中的实现原理

前言 通过这篇文章,你可以学习到Tensorflow实现MultiHeadAttention的底层原理。 一、MultiHeadAttention的本质内涵 1.Self_Atention机制 MultiHeadAttention是Self_Atention的多头堆嵌,有必要对Self_Atention机制进行一次深入浅出的理解,这…

Docker 入门篇(一)-- 简介与安装教程(Windows和Linux)

一、Docker简介 Docker是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的容器中,然后发布到任何Linux机器上,也可以实现虚拟化。容器是完全使用沙箱机制,相互之间没有任何接口(类似iPhon…

记录海豚调度器删除工作流实例失败的解决办法(DolphinScheduler的WebUI删除失败)

本博客记录以下问题解决办法:使用dolphinscheduler的WebUI运行工作流后出现内存占用过高导致的任务阻塞问题,并且在删除工作流实例时总是报错无法删除 解决步骤 在前端页面无法删除,于是搜索资料,发现可以登录数据库进行工作流实…

【C语言 |预处理指令】预处理指令详解(包括编译与链接)

目录 一、编译与链接 1.翻译环境 -预处理 -编译 -汇编 -链接 2.执行环境 二、预定义符号 三、#define定义常量 四、#define定义宏 五、带有副作用的宏参数 六、宏替换的规则 七、 宏函数的对比 八、#和## 1.#运算符 2.##运算符 九、命名约定 十、#undef 十一、 命…

【服务器部署篇】Linux下Tomcat安装和配置

作者介绍:本人笔名姑苏老陈,从事JAVA开发工作十多年了,带过刚毕业的实习生,也带过技术团队。最近有个朋友的表弟,马上要大学毕业了,想从事JAVA开发工作,但不知道从何处入手。于是,产…

Linux网络编程---Socket编程

一、网络套接字 一个文件描述符指向一个套接字(该套接字内部由内核借助两个缓冲区实现。) 在通信过程中,套接字一定是成对出现的 套接字通讯原理示意图: 二、预备知识 1. 网络字节序 内存中的多字节数据相对于内存地址有大端和小端之分 小端法&…