「 网络安全常用术语解读 」SBOM主流格式SPDX详解

SPDX(System Package Data Exchange)格式是一种用于描述软件组件(如源代码)的规范,它提供了一种标准化的方法来描述软件组件的元数据,包括其许可证、依赖项和其他属性。SPDX最初由Linux基金会于2010年发起,是一个跨行业的合作项目,旨在促进软件供应链的透明度和合规性。本文将介绍SPDX格式的背景、应用现状及主要内容。

在这里插入图片描述

1. 背景

SPDX(System Package Data Exchange)格式的诞生源于对软件许可证的标准化和管理的需求。在开源和共享软件开发环境中,许可证是一个重要的元素,它规定了软件的使用和修改限制。然而,不同的开源项目可能使用不同的许可证,这导致了许可证管理的问题。为了解决这个问题,SPDX 格式应运而生,它提供了一种标准化的方法来描述软件许可证以及其他元数据,如版本控制信息、依赖项等。

2. 应用现状

SPDX格式在开源和共享软件开发环境中得到了广泛的应用。许多开源项目使用SPDX格式来描述其软件组件的许可证和其他元数据。SPDX格式还被用于自动化工具中,如代码审查工具、许可证管理工具和版本控制工具,这些工具可以自动解析SPDX描述文档,从而提高了工作效率和准确性。

SPDX规范被公认为安全性、许可证合规性和其他软件供应链工件的国际开放标准,如ISO/IEC 5962:2021

SPDX格式还被应用于教育领域。一些教育机构和开源组织将SPDX格式用于教育目的,为学生提供关于软件许可证管理和软件组件元数据的知识。通过使用SPDX格式,学生可以更好地理解开源软件的世界,并学会如何使用标准化的方法来描述和管理软件组件。

3. 版本发展历史

  • 2023/05:发布了新的安全、构建、数据和人工智能配置文件的 SPDX 3.0-rc1。
  • 2022/08:发布SPDX 2.3,以提高与其他格式的互操作性。
  • 2015/05:SPDX 2.0 规范增加了处理多个包、包和文件之间的关系以及注释的能力。
  • 2013/10:SPDX 1.2 规范–改进了与许可证列表的交互,增加了用于记录项目信息的字段。
  • 2011/08:SPDX 1.0 规范处理封装。
  • 2010/02:规范起草工作开始于Linux基金会下属的 FOSSBazaar 工作组,该工作组后来被称为“SPDX”,最初被称为Package Facts。

4. 主要内容

在SPDX格式中,每个元素都有其特定的标签和结构,以便于自动解析和解析。此外,SPDX格式还提供了一种标准化的方法来组织这些元素,使其易于理解和使用。

SPDX格式的主要内容包括许可证、版本控制、依赖项和其他元数据:

  • 软件包信息:记录软件包的基本信息,如名称、版本号、描述等。
  • 许可证信息:详细描述软件包使用的许可证类型及相关要求。这有助于组织遵守不同许可证的规定,确保合规性。
  • 文件级别信息:列出软件包中每个文件的信息,包括文件名、路径、大小等。这有助于识别和跟踪软件组件,管理依赖关系。
  • 依赖关系:记录软件包与其他软件包之间的依赖关系,包括版本要求、兼容性等。这有助于评估软件包的稳定性和安全性。
  • 补丁信息:记录软件包中的补丁信息,包括修复的漏洞、安全更新等。这有助于了解软件包的安全状况。
  • 元数据:包括创建SPDX文档的时间、作者信息等元数据,有助于跟踪和管理SPDX文档的来源和历史。
  • 其他元数据:SPDX格式还包含其他元数据,如许可协议、版权声明、技术规范和文档链接等。

SPDX JSON 格式完整样例:

{
  "SPDXID" : "SPDXRef-DOCUMENT",
  "spdxVersion" : "SPDX-2.3",
  "creationInfo" : {
    "comment" : "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.",
    "created" : "2010-01-29T18:30:22Z",
    "creators" : [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ],
    "licenseListVersion" : "3.17"
  },
  "name" : "SPDX-Tools-v2.0",
  "dataLicense" : "CC0-1.0",
  "comment" : "This document was created using SPDX 2.0 using licenses from the web site.",
  "externalDocumentRefs" : [ {
    "externalDocumentId" : "DocumentRef-spdx-tool-1.2",
    "checksum" : {
      "algorithm" : "SHA1",
      "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2759"
    },
    "spdxDocument" : "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301"
  } ],
  "hasExtractedLicensingInfos" : [ {
    "licenseId" : "LicenseRef-1",
    "extractedText" : "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n *    notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n *    notice, this list of conditions and the following disclaimer in the\n *    documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n *    derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
  }, {
    "licenseId" : "LicenseRef-2",
    "extractedText" : "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n© Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
  }, {
    "licenseId" : "LicenseRef-4",
    "extractedText" : "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n *    notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n *    notice, this list of conditions and the following disclaimer in the\n *    documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n *    derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
  }, {
    "licenseId" : "LicenseRef-Beerware-4.2",
    "comment" : "The beerware license has a couple of other standard variants.",
    "extractedText" : "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp",
    "name" : "Beer-Ware License (Version 42)",
    "seeAlsos" : [ "http://people.freebsd.org/~phk/" ]
  }, {
    "licenseId" : "LicenseRef-3",
    "comment" : "This is tye CyperNeko License",
    "extractedText" : "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark.  All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n   notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n   notice, this list of conditions and the following disclaimer in\n   the documentation and/or other materials provided with the\n   distribution.\n\n3. The end-user documentation included with the redistribution,\n   if any, must include the following acknowledgment:  \n     \"This product includes software developed by Andy Clark.\"\n   Alternately, this acknowledgment may appear in the software itself,\n   if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n   or promote products derived from this software without prior \n   written permission. For written permission, please contact \n   andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n   nor may \"CyberNeko\" appear in their name, without prior written\n   permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
    "name" : "CyberNeko License",
    "seeAlsos" : [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ]
  } ],
  "annotations" : [ {
    "annotationDate" : "2010-01-29T18:30:22Z",
    "annotationType" : "OTHER",
    "annotator" : "Person: Jane Doe ()",
    "comment" : "Document level annotation"
  }, {
    "annotationDate" : "2010-02-10T00:00:00Z",
    "annotationType" : "REVIEW",
    "annotator" : "Person: Joe Reviewer",
    "comment" : "This is just an example.  Some of the non-standard licenses look like they are actually BSD 3 clause licenses"
  }, {
    "annotationDate" : "2011-03-13T00:00:00Z",
    "annotationType" : "REVIEW",
    "annotator" : "Person: Suzanne Reviewer",
    "comment" : "Another example reviewer."
  } ],
  "documentDescribes" : [ "SPDXRef-File", "SPDXRef-Package" ],
  "documentNamespace" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
  "packages" : [ {
    "SPDXID" : "SPDXRef-Package",
    "annotations" : [ {
      "annotationDate" : "2011-01-29T18:30:22Z",
      "annotationType" : "OTHER",
      "annotator" : "Person: Package Commenter",
      "comment" : "Package level annotation"
    } ],
    "attributionTexts" : [ "The GNU C Library is free software.  See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed.  License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ],
    "builtDate" : "2011-01-29T18:30:22Z",
    "checksums" : [ {
      "algorithm" : "MD5",
      "checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
    }, {
      "algorithm" : "SHA1",
      "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
    }, {
      "algorithm" : "SHA256",
      "checksumValue" : "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd"
    }, {
      "algorithm" : "BLAKE2b-384",
      "checksumValue" : "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706"
    } ],
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "description" : "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.",
    "downloadLocation" : "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
    "externalRefs" : [ {
      "referenceCategory" : "SECURITY",
      "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
      "referenceType" : "cpe23Type"
    }, {
      "comment" : "This is the external ref for Acme",
      "referenceCategory" : "OTHER",
      "referenceLocator" : "acmecorp/acmenator/4.1.3-alpha",
      "referenceType" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge"
    } ],
    "filesAnalyzed" : true,
    "homepage" : "http://ftp.gnu.org/gnu/glibc",
    "licenseComments" : "The license for this project changed with the release of version x.y.  The version of the project included here post-dates the license change.",
    "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-3)",
    "licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
    "licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
    "name" : "glibc",
    "originator" : "Organization: ExampleCodeInspect (contact@example.com)",
    "packageFileName" : "glibc-2.11.1.tar.gz",
    "packageVerificationCode" : {
      "packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
      "packageVerificationCodeValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
    },
    "primaryPackagePurpose" : "SOURCE",
    "hasFiles" : [ "SPDXRef-Specification", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ],
    "releaseDate" : "2012-01-29T18:30:22Z",
    "sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.",
    "summary" : "GNU C library.",
    "supplier" : "Person: Jane Doe (jane.doe@example.com)",
    "validUntilDate" : "2014-01-29T18:30:22Z",
    "versionInfo" : "2.11.1"
  }, {
    "SPDXID" : "SPDXRef-fromDoap-1",
    "copyrightText" : "NOASSERTION",
    "downloadLocation" : "NOASSERTION",
    "filesAnalyzed" : false,
    "homepage" : "http://commons.apache.org/proper/commons-lang/",
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "NOASSERTION",
    "name" : "Apache Commons Lang"
  }, {
    "SPDXID" : "SPDXRef-fromDoap-0",
    "downloadLocation" : "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz",
    "externalRefs" : [ {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:maven/org.apache.jena/apache-jena@3.12.0",
      "referenceType" : "purl"
    } ],
    "filesAnalyzed" : false,
    "homepage" : "http://www.openjena.org/",
    "name" : "Jena",
    "versionInfo" : "3.12.0"
  }, {
    "SPDXID" : "SPDXRef-Saxon",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
    } ],
    "copyrightText" : "Copyright Saxonica Ltd",
    "description" : "The Saxon package is a collection of tools for processing XML documents.",
    "downloadLocation" : "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
    "filesAnalyzed" : false,
    "homepage" : "http://saxon.sourceforge.net/",
    "licenseComments" : "Other versions available for a commercial license",
    "licenseConcluded" : "MPL-1.0",
    "licenseDeclared" : "MPL-1.0",
    "name" : "Saxon",
    "packageFileName" : "saxonB-8.8.zip",
    "versionInfo" : "8.8"
  } ],
  "files" : [ {
    "SPDXID" : "SPDXRef-DoapSource",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
    } ],
    "copyrightText" : "Copyright 2010, 2011 Source Auditor Inc.",
    "fileContributors" : [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ],
    "fileName" : "./src/org/spdx/parser/DOAPProject.java",
    "fileTypes" : [ "SOURCE" ],
    "licenseConcluded" : "Apache-2.0",
    "licenseInfoInFiles" : [ "Apache-2.0" ]
  }, {
    "SPDXID" : "SPDXRef-CommonsLangSrc",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "c2b4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "This file is used by Jena",
    "copyrightText" : "Copyright 2001-2011 The Apache Software Foundation",
    "fileContributors" : [ "Apache Software Foundation" ],
    "fileName" : "./lib-source/commons-lang3-3.1-sources.jar",
    "fileTypes" : [ "ARCHIVE" ],
    "licenseConcluded" : "Apache-2.0",
    "licenseInfoInFiles" : [ "Apache-2.0" ],
    "noticeText" : "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())"
  }, {
    "SPDXID" : "SPDXRef-JenaLib",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "3ab4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "This file belongs to Jena",
    "copyrightText" : "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
    "fileContributors" : [ "Apache Software Foundation", "Hewlett Packard Inc." ],
    "fileName" : "./lib-source/jena-2.6.3-sources.jar",
    "fileTypes" : [ "ARCHIVE" ],
    "licenseComments" : "This license is used by Jena",
    "licenseConcluded" : "LicenseRef-1",
    "licenseInfoInFiles" : [ "LicenseRef-1" ]
  }, {
    "SPDXID" : "SPDXRef-Specification",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "fff4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "Specification Documentation",
    "fileName" : "./docs/myspec.pdf",
    "fileTypes" : [ "DOCUMENTATION" ]
  }, {
    "SPDXID" : "SPDXRef-File",
    "annotations" : [ {
      "annotationDate" : "2011-01-29T18:30:22Z",
      "annotationType" : "OTHER",
      "annotator" : "Person: File Commenter",
      "comment" : "File level annotation"
    } ],
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
    }, {
      "algorithm" : "MD5",
      "checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
    } ],
    "comment" : "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.",
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "fileContributors" : [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ],
    "fileName" : "./package/foo.c",
    "fileTypes" : [ "SOURCE" ],
    "licenseComments" : "The concluded license was taken from the package level that the file was included in.",
    "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-2)",
    "licenseInfoInFiles" : [ "GPL-2.0-only", "LicenseRef-2" ],
    "noticeText" : "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
  } ],
  "snippets" : [ {
    "SPDXID" : "SPDXRef-Snippet",
    "comment" : "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.",
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "licenseComments" : "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
    "licenseConcluded" : "GPL-2.0-only",
    "licenseInfoInSnippets" : [ "GPL-2.0-only" ],
    "name" : "from linux kernel",
    "ranges" : [ {
      "endPointer" : {
        "offset" : 420,
        "reference" : "SPDXRef-DoapSource"
      },
      "startPointer" : {
        "offset" : 310,
        "reference" : "SPDXRef-DoapSource"
      }
    }, {
      "endPointer" : {
        "lineNumber" : 23,
        "reference" : "SPDXRef-DoapSource"
      },
      "startPointer" : {
        "lineNumber" : 5,
        "reference" : "SPDXRef-DoapSource"
      }
    } ],
    "snippetFromFile" : "SPDXRef-DoapSource"
  } ],
  "relationships" : [ {
    "spdxElementId" : "SPDXRef-DOCUMENT",
    "relationshipType" : "CONTAINS",
    "relatedSpdxElement" : "SPDXRef-Package"
  }, {
    "spdxElementId" : "SPDXRef-DOCUMENT",
    "relationshipType" : "COPY_OF",
    "relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement"
  }, {
    "spdxElementId" : "SPDXRef-Package",
    "relationshipType" : "DYNAMIC_LINK",
    "relatedSpdxElement" : "SPDXRef-Saxon"
  }, {
    "spdxElementId" : "SPDXRef-CommonsLangSrc",
    "relationshipType" : "GENERATED_FROM",
    "relatedSpdxElement" : "NOASSERTION"
  }, {
    "spdxElementId" : "SPDXRef-JenaLib",
    "relationshipType" : "CONTAINS",
    "relatedSpdxElement" : "SPDXRef-Package"
  }, {
    "spdxElementId" : "SPDXRef-Specification",
    "relationshipType" : "SPECIFICATION_FOR",
    "relatedSpdxElement" : "SPDXRef-fromDoap-0"
  }, {
    "spdxElementId" : "SPDXRef-File",
    "relationshipType" : "GENERATED_FROM",
    "relatedSpdxElement" : "SPDXRef-fromDoap-0"
  } ]
}

若想了解更多 SPDX 格式的规范细节,可参阅官方最新文档 The System Package Data Exchange® (SPDX®) Specification Version 3.0.pdf (访问密码: 6277)。

5. 辅助工具

SPDX 官方提供了一些辅助工具,包含在线工具、开源工具及商用工具,可以提供 SPDX 格式文档的校验、转换、对比、生成及解析等功能。
在这里插入图片描述

6. 总结

SPDX格式是一种用于描述软件组件的规范,提供了一种标准化的方法来描述软件组件的元数据,包括其许可证、依赖项和其他属性。随着开源和共享软件开发环境的普及,SPDX格式得到了广泛的应用。

通过SPDX格式,组织可以更好地了解和管理软件供应链,降低合规风险,提高软件质量,加强安全性。SPDX作为一个开放的标准格式,为软件行业的合作和创新提供了重要的基础。

7. 参考

[1] https://spdx.dev/
[2] SPDXJSONExample-v2.3.spdx.json
[3] https://spdx.dev/use/specifications/


推荐阅读:

  • 「 网络安全常用术语解读 」漏洞利用交换VEX详解
  • 「 网络安全常用术语解读 」软件成分分析SCA详解:从发展背景到技术原理再到业界常用检测工具推荐
  • 「 网络安全常用术语解读 」什么是0day、1day、nday漏洞
  • 「 网络安全常用术语解读 」软件物料清单SBOM详解
  • 「 网络安全常用术语解读 」杀链Kill Chain详解
  • 「 网络安全术语解读 」点击劫持Clickjacking详解
  • 「 网络安全术语解读 」悬空标记注入详解
  • 「 网络安全术语解读 」内容安全策略CSP详解
  • 「 网络安全常用术语解读 」同源策略SOP详解
  • 「 网络安全术语解读 」静态分析结果交换格式SARIF详解
  • 「 网络安全常用术语解读 」安全自动化协议SCAP详解
  • 「 网络安全术语解读 」通用平台枚举CPE详解
  • 「 网络安全常用术语解读 」通用缺陷枚举CWE详解
  • 「 网络安全常用术语解读 」通用漏洞披露CVE详解
  • 「 网络安全常用术语解读 」通用漏洞评分系统CVSS详解
  • 「 网络安全常用术语解读 」漏洞利用交换VEX详解
  • 「 网络安全常用术语解读 」软件成分分析SCA详解:从发展背景到技术原理再到业界常用检测工具推荐
  • 「 网络安全术语解读 」通用攻击模式枚举和分类CAPEC详解
  • 「 网络安全常用术语解读 」网络攻击者的战术、技术和常识知识库ATT&CK详解

在这里插入图片描述

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/574745.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

家庭环境如何异地组网装修?

家庭异地组网装修是如今越来越受到人们关注的问题。在现代社会中,家庭成员经常因为各种原因而分散在不同的地区。这种情况下,如何实现家庭网络的高效通信变得尤为重要。本文将介绍一款异地组网产品——【天联】组网,它能够帮助家庭解决异地组…

STM32中断系统详解

系列文章目录 STM32单片机系列专栏 C语言术语和结构总结专栏 文章目录 1. 中断基本概念 2. STM32中断 3. NVIC的基本组件 3.1 NVIC的基本组件 3.2 NVIC的优先级 4. EXTI外部中断 4.1 基本概念 4.2 基本结构 5. AFIO 1. 中断基本概念 中断(Interrupt&…

测试的分类(3)

目录 按照测试阶段测试 系统测试 冒烟测试和回归测试的区别 验收测试 单元测试, 集成测试, 系统测试, 回归测试之间的关系 是否按手工进行测试 手工测试 自动化测试 自动化测试和手工测试的优缺点 自动化测试优点 自动化测试缺点 手工测试优点 手工测试缺点 按照…

Oracle导出导入dmp等文件类型的多表数据的常用方法、遇见的常见问题和解决办法(exp无效sql???)

使用PLSQL执行导出表数据的时候有两种方法 1、使用Oracle命令【imp--exp】【impdp--expdp】 但是如果你的本机没有安装有Oracle数据库,使用的instant client远程连接服务器上的Oracle数据库时候,你没有Oracle数据库带有的exp.exe、imp.exe等扩展文件&a…

详解23种设计模式——工厂模式

工厂模式 | CoderMast编程桅杆工厂模式 设计思想 工厂模式是最常用的设计模式之一,属于创建型模式,将创建对象的权利交给了一个工厂类,从而提供了一种不使用构造方法的情况下创建对象的途径,无需指定要创建的具体类,将…

重仓比特币

作者:Arthur Hayes Co-Founder of 100x. 编译:liam ccvalue (下文中表达的任何观点均为作者的个人观点,不应作为投资决策的依据,也不应被视为参与投资交易的建议或意见)。 我们中断牛市常规节目,为您播报这…

Android14之修改编译vendor.img(二百零七)

简介: CSDN博客专家,专注Android/Linux系统,分享多mic语音方案、音视频、编解码等技术,与大家一起成长! 优质专栏:Audio工程师进阶系列【原创干货持续更新中……】🚀 优质专栏:多媒…

HTML列表、表格、表单

1.列表 列表分类&#xff1a;无序、有序、定义 2.无序列表&#xff08;unordered list&#xff09; ul嵌套li&#xff0c;ul是无序列表。li是列表条目。 ur标签里面只能包含li标签。 li里面可以包含任何内容。 3.有序列表&#xff08;ordered list&#xff09; <ol>…

OpenMesh 计算封闭网格体积

文章目录 一、简介二、实现代码三、实现效果参考资料一、简介 思路很是简单,就是计算一些四面体的有向体积(这些四面体均是基于网格中的三角形与原点组成的) ,至于体积的符号则来自于三角形是否指向原点方向来确定,即面片的法线方向(其中三角形的法线本身取决于顶点的顺序…

高频问题|如何给指定的表达式添加小括号避免优先级问题?

关注它&#xff0c;不迷路。 本文章中所有内容仅供学习交流&#xff0c;不可用于任何商业用途和非法用途&#xff0c;否则后果自负&#xff0c;如有侵权&#xff0c;请联系作者立即删除&#xff01; 1.问题 如题&#xff0c;如何给指定的表达式添加小括号避免优先级问题…

远程控制安卓手机:便捷、高效与安全的方法

在移动设备的领域里&#xff0c;远程控制安卓手机的能力也变得越来越重要。这种技术可以让我们在远程地点方便地操作手机&#xff0c;无论是处理紧急事务、帮助他人解决问题&#xff0c;还是仅仅为了享受科技带来的便利。本文将为你介绍2种便捷、高效且安全的方法&#xff0c;让…

MacOS通过命令行开启关闭向日葵远程控制的后台服务

categories: [Tips] tags: MacOS Tips 写在前面 经常有小伙伴问我电脑相关的问题, 而解决问题的一个重要途径就是远程了. 关于免费的远程工具我试过向日葵和 todesk, 并且主要使用向日葵, 虽然 MacOS 下要设置很多权限, 但是也不影响其丝滑的控制. 虽然用着舒服, 但是向日葵…

JS设计模式-透过现象看本质

JS设计模式-透过现象看本质 设计模式SOLID设计原则创建型构造器模式工厂模式 - 简单工厂工厂模式 - 抽象工厂&#xff08;开发封闭原则&#xff09;构造器和简单、抽象工厂的区别 单例模式原型模式 结构型装饰器模式适配器模式代理模式事件代理 - 事件冒泡虚拟代理 - 通过Image…

JAVA毕业设计136—基于Java+Springboot+Vue的房屋租赁管理系统(源代码+数据库)

毕设所有选题&#xff1a; https://blog.csdn.net/2303_76227485/article/details/131104075 基于JavaSpringbootVue的房屋租赁管理系统(源代码数据库)136 一、系统介绍 本项目前后端分离&#xff0c;分为管理员、用户、工作人员、房东四种角色 1、用户/房东&#xff1a; …

开源博客项目Blog .NET Core源码学习(18:App.Hosting项目结构分析-6)

本文学习并分析App.Hosting项目中后台管理页面的_AminLayout.cshtml模版页面和登录页面。 _AminLayout.cshtml模版页面 后台管理页面中的大部分页面都使用_AminLayout.cshtml作为模板页面&#xff0c;如下图所示&#xff0c;后台页面的视图内容放置在表单中&#xff0c;使用la…

Java openrasp记录-01

例子1 https://github.com/anbai-inc/javaweb-expression 一个hook ognl、spel、MVEL表达式注入的例子 用的是asm5进行字节码修改 采用premain进行插桩&#xff0c;重写transform方法 expClassList是要hook的类&#xff0c;这里定义在MethodHookDesc 这里判断hook点通过类名…

Kafka 3.x.x 入门到精通(03)——对标尚硅谷Kafka教程

Kafka 3.x.x 入门到精通&#xff08;03&#xff09;——对标尚硅谷Kafka教程 2. Kafka基础2.1 集群部署2.2 集群启动2.3 创建主题2.4 生产消息2.4.1 生产消息的基本步骤2.4.2 生产消息的基本代码2.4.3 发送消息2.4.3.1 拦截器2.4.3.1.1 增加拦截器类2.4.3.1.2 配置拦截器 2.4.3…

RDD编程初级实践

参考链接 spark入门实战系列--8MLlib spark 实战_mob6454cc68310b的技术博客_51CTO博客https://blog.51cto.com/u_16099212/7454034 Spark和Hadoop的安装-CSDN博客https://blog.csdn.net/weixin_64066303/article/details/138021948?spm1001.2014.3001.5501 1. spark-shell…

JAVAEE—HTTPS和ssl证书

0[toc] 什么是HTTPS HTTPS 也是一个应用层协议. 是在 HTTP 协议的基础上引入了一个加密层. HTTP 协议内容都是按照文本的方式明文传输的. 这就导致在传输过程中出现一些被篡改的情况而HTTPS则是新采用加密的方式进行传输 为什么需要HTTPS 为什么要使用HTTPS呢&#xff1f;这…

【SpringCloud】LoadBalance负载均衡服务调用快速入门

【SpringCloud】LoadBalance负载均衡服务调用快速入门 文章目录 【SpringCloud】LoadBalance负载均衡服务调用快速入门1. 概述2. 引入依赖3. 配置、验证3.1 配置3.2 验证 1. 概述 官网地址&#xff1a;点击跳转 Spring Cloud LoadBalancer 是由 SpringCloud 官方提供的一个开…