mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 08:23:15 +01:00
706322f826
* add initial spdx support Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * expose FileOwner and use in SPDX presenter Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add initial json support for SPDX Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add remaining package fields Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add spdx license list generation + tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * keep fileOwner unexported from pkg Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * restore cli test util Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add external refs to spdx tag-value format Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add golang support to CPE generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use tag-value format as default "spdx" format flavor Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add tests around spdx presenters + refactor presenter tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add bouncer exception for spdx tools-golang repo Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove spdx model questions Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
182 lines
11 KiB
Go
182 lines
11 KiB
Go
package spdx22
|
|
|
|
type Relationship struct {
|
|
// SPDX ID for SpdxElement. A related SpdxElement.
|
|
RelatedSpdxElement string `json:"relatedSpdxElement"`
|
|
// Describes the type of relationship between two SPDX elements.
|
|
RelationshipType RelationshipType `json:"relationshipType"`
|
|
Comment string `json:"comment,omitempty"`
|
|
}
|
|
|
|
// source: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/
|
|
type RelationshipType string
|
|
|
|
const (
|
|
// DescribedByRelationship is to be used when SPDXRef-A is described by SPDXREF-Document.
|
|
// Example: The package 'WildFly' is described by SPDX document WildFly.spdx.
|
|
DescribedByRelationship RelationshipType = "DESCRIBED_BY"
|
|
|
|
// ContainsRelationship is to be used when SPDXRef-A contains SPDXRef-B.
|
|
// Example: An ARCHIVE file bar.tgz contains a SOURCE file foo.c.
|
|
ContainsRelationship RelationshipType = "CONTAINS"
|
|
|
|
// ContainedByRelationship is to be used when SPDXRef-A is contained by SPDXRef-B.
|
|
// Example: A SOURCE file foo.c is contained by ARCHIVE file bar.tgz
|
|
ContainedByRelationship RelationshipType = "CONTAINED_BY"
|
|
|
|
// DependsOnRelationship is to be used when SPDXRef-A depends on SPDXRef-B.
|
|
// Example: Package A depends on the presence of package B in order to build and run
|
|
DependsOnRelationship RelationshipType = "DEPENDS_ON"
|
|
|
|
// DependencyOfRelationship is to be used when SPDXRef-A is dependency of SPDXRef-B.
|
|
// Example: A is explicitly stated as a dependency of B in a machine-readable file. Use when a package manager does not define scopes.
|
|
DependencyOfRelationship RelationshipType = "DEPENDENCY_OF"
|
|
|
|
// DependencyManifestOfRelationship is to be used when SPDXRef-A is a manifest file that lists a set of dependencies for SPDXRef-B.
|
|
// Example: A file package.json is the dependency manifest of a package foo. Note that only one manifest should be used to define the same dependency graph.
|
|
DependencyManifestOfRelationship RelationshipType = "DEPENDENCY_MANIFEST_OF"
|
|
|
|
// BuildDependencyOfRelationship is to be used when SPDXRef-A is a build dependency of SPDXRef-B.
|
|
// Example: A is in the compile scope of B in a Maven project.
|
|
BuildDependencyOfRelationship RelationshipType = "BUILD_DEPENDENCY_OF"
|
|
|
|
// DevDependencyOfRelationship is to be used when SPDXRef-A is a development dependency of SPDXRef-B.
|
|
// Example: A is in the devDependencies scope of B in a Maven project.
|
|
DevDependencyOfRelationship RelationshipType = "DEV_DEPENDENCY_OF"
|
|
|
|
// OptionalDependencyOfRelationship is to be used when SPDXRef-A is an optional dependency of SPDXRef-B.
|
|
// Example: Use when building the code will proceed even if a dependency cannot be found, fails to install, or is only installed on a specific platform. For example, A is in the optionalDependencies scope of npm project B.
|
|
OptionalDependencyOfRelationship RelationshipType = "OPTIONAL_DEPENDENCY_OF"
|
|
|
|
// ProvidedDependencyOfRelationship is to be used when SPDXRef-A is a to be provided dependency of SPDXRef-B.
|
|
// Example: A is in the provided scope of B in a Maven project, indicating that the project expects it to be provided, for instance, by the container or JDK.
|
|
ProvidedDependencyOfRelationship RelationshipType = "PROVIDED_DEPENDENCY_OF"
|
|
|
|
// TestDependencyOfRelationship is to be used when SPDXRef-A is a test dependency of SPDXRef-B.
|
|
// Example: A is in the test scope of B in a Maven project.
|
|
TestDependencyOfRelationship RelationshipType = "TEST_DEPENDENCY_OF"
|
|
|
|
// RuntimeDependencyOfRelationship is to be used when SPDXRef-A is a dependency required for the execution of SPDXRef-B.
|
|
// Example: A is in the runtime scope of B in a Maven project.
|
|
RuntimeDependencyOfRelationship RelationshipType = "RUNTIME_DEPENDENCY_OF"
|
|
|
|
// ExampleOfRelationship is to be used when SPDXRef-A is an example of SPDXRef-B.
|
|
// Example: The file or snippet that illustrates how to use an application or library.
|
|
ExampleOfRelationship RelationshipType = "EXAMPLE_OF"
|
|
|
|
// GeneratesRelationship is to be used when SPDXRef-A generates SPDXRef-B.
|
|
// Example: A SOURCE file makefile.mk generates a BINARY file a.out
|
|
GeneratesRelationship RelationshipType = "GENERATES"
|
|
|
|
// GeneratedFromRelationship is to be used when SPDXRef-A was generated from SPDXRef-B.
|
|
// Example: A BINARY file a.out has been generated from a SOURCE file makefile.mk. A BINARY file foolib.a is generated from a SOURCE file bar.c.
|
|
GeneratedFromRelationship RelationshipType = "GENERATED_FROM"
|
|
|
|
// AncestorOfRelationship is to be used when SPDXRef-A is an ancestor (same lineage but pre-dates) SPDXRef-B.
|
|
// Example: A SOURCE file makefile.mk is a version of the original ancestor SOURCE file 'makefile2.mk'
|
|
AncestorOfRelationship RelationshipType = "ANCESTOR_OF"
|
|
|
|
// DescendantOfRelationship is to be used when SPDXRef-A is a descendant of (same lineage but postdates) SPDXRef-B.
|
|
// Example: A SOURCE file makefile2.mk is a descendant of the original SOURCE file 'makefile.mk'
|
|
DescendantOfRelationship RelationshipType = "DESCENDANT_OF"
|
|
|
|
// VariantOfRelationship is to be used when SPDXRef-A is a variant of (same lineage but not clear which came first) SPDXRef-B.
|
|
// Example: A SOURCE file makefile2.mk is a variant of SOURCE file makefile.mk if they differ by some edit, but there is no way to tell which came first (no reliable date information).
|
|
VariantOfRelationship RelationshipType = "VARIANT_OF"
|
|
|
|
// DistributionArtifactRelationship is to be used when distributing SPDXRef-A requires that SPDXRef-B also be distributed.
|
|
// Example: A BINARY file foo.o requires that the ARCHIVE file bar-sources.tgz be made available on distribution.
|
|
DistributionArtifactRelationship RelationshipType = "DISTRIBUTION_ARTIFACT"
|
|
|
|
// PatchForRelationship is to be used when SPDXRef-A is a patch file for (to be applied to) SPDXRef-B.
|
|
// Example: A SOURCE file foo.diff is a patch file for SOURCE file foo.c.
|
|
PatchForRelationship RelationshipType = "PATCH_FOR"
|
|
|
|
// PatchAppliedRelationship is to be used when SPDXRef-A is a patch file that has been applied to SPDXRef-B.
|
|
// Example: A SOURCE file foo.diff is a patch file that has been applied to SOURCE file 'foo-patched.c'.
|
|
PatchAppliedRelationship RelationshipType = "PATCH_APPLIED"
|
|
|
|
// CopyOfRelationship is to be used when SPDXRef-A is an exact copy of SPDXRef-B.
|
|
// Example: A BINARY file alib.a is an exact copy of BINARY file a2lib.a.
|
|
CopyOfRelationship RelationshipType = "COPY_OF"
|
|
|
|
// FileAddedRelationship is to be used when SPDXRef-A is a file that was added to SPDXRef-B.
|
|
// Example: A SOURCE file foo.c has been added to package ARCHIVE bar.tgz.
|
|
FileAddedRelationship RelationshipType = "FILE_ADDED"
|
|
|
|
// FileDeletedRelationship is to be used when SPDXRef-A is a file that was deleted from SPDXRef-B.
|
|
// Example: A SOURCE file foo.diff has been deleted from package ARCHIVE bar.tgz.
|
|
FileDeletedRelationship RelationshipType = "FILE_DELETED"
|
|
|
|
// FileModifiedRelationship is to be used when SPDXRef-A is a file that was modified from SPDXRef-B.
|
|
// Example: A SOURCE file foo.c has been modified from SOURCE file foo.orig.c.
|
|
FileModifiedRelationship RelationshipType = "FILE_MODIFIED"
|
|
|
|
// ExpandedFromArchiveRelationship is to be used when SPDXRef-A is expanded from the archive SPDXRef-B.
|
|
// Example: A SOURCE file foo.c, has been expanded from the archive ARCHIVE file xyz.tgz.
|
|
ExpandedFromArchiveRelationship RelationshipType = "EXPANDED_FROM_ARCHIVE"
|
|
|
|
// DynamicLinkRelationship is to be used when SPDXRef-A dynamically links to SPDXRef-B.
|
|
// Example: An APPLICATION file 'myapp' dynamically links to BINARY file zlib.so.
|
|
DynamicLinkRelationship RelationshipType = "DYNAMIC_LINK"
|
|
|
|
// StaticLinkRelationship is to be used when SPDXRef-A statically links to SPDXRef-B.
|
|
// Example: An APPLICATION file 'myapp' statically links to BINARY zlib.a.
|
|
StaticLinkRelationship RelationshipType = "STATIC_LINK"
|
|
|
|
// DataFileOfRelationship is to be used when SPDXRef-A is a data file used in SPDXRef-B.
|
|
// Example: An IMAGE file 'kitty.jpg' is a data file of an APPLICATION 'hellokitty'.
|
|
DataFileOfRelationship RelationshipType = "DATA_FILE_OF"
|
|
|
|
// TestCaseOfRelationship is to be used when SPDXRef-A is a test case used in testing SPDXRef-B.
|
|
// Example: A SOURCE file testMyCode.java is a unit test file used to test an APPLICATION MyPackage.
|
|
TestCaseOfRelationship RelationshipType = "TEST_CASE_OF"
|
|
|
|
// BuildToolOfRelationship is to be used when SPDXRef-A is used to build SPDXRef-B.
|
|
// Example: A SOURCE file makefile.mk is used to build an APPLICATION 'zlib'.
|
|
BuildToolOfRelationship RelationshipType = "BUILD_TOOL_OF"
|
|
|
|
// DevToolOfRelationship is to be used when SPDXRef-A is used as a development tool for SPDXRef-B.
|
|
// Example: Any tool used for development such as a code debugger.
|
|
DevToolOfRelationship RelationshipType = "DEV_TOOL_OF"
|
|
|
|
// TestOfRelationship is to be used when SPDXRef-A is used for testing SPDXRef-B.
|
|
// Example: Generic relationship for cases where it's clear that something is used for testing but unclear whether it's TEST_CASE_OF or TEST_TOOL_OF.
|
|
TestOfRelationship RelationshipType = "TEST_OF"
|
|
|
|
// TestToolOfRelationship is to be used when SPDXRef-A is used as a test tool for SPDXRef-B.
|
|
// Example: Any tool used to test the code such as ESlint.
|
|
TestToolOfRelationship RelationshipType = "TEST_TOOL_OF"
|
|
|
|
// DocumentationOfRelationship is to be used when SPDXRef-A provides documentation of SPDXRef-B.
|
|
// Example: A DOCUMENTATION file readme.txt documents the APPLICATION 'zlib'.
|
|
DocumentationOfRelationship RelationshipType = "DOCUMENTATION_OF"
|
|
|
|
// OptionalComponentOfRelationship is to be used when SPDXRef-A is an optional component of SPDXRef-B.
|
|
// Example: A SOURCE file fool.c (which is in the contributors directory) may or may not be included in the build of APPLICATION 'atthebar'.
|
|
OptionalComponentOfRelationship RelationshipType = "OPTIONAL_COMPONENT_OF"
|
|
|
|
// MetafileOfRelationship is to be used when SPDXRef-A is a metafile of SPDXRef-B.
|
|
// Example: A SOURCE file pom.xml is a metafile of the APPLICATION 'Apache Xerces'.
|
|
MetafileOfRelationship RelationshipType = "METAFILE_OF"
|
|
|
|
// PackageOfRelationship is to be used when SPDXRef-A is used as a package as part of SPDXRef-B.
|
|
// Example: A Linux distribution contains an APPLICATION package gawk as part of the distribution MyLinuxDistro.
|
|
PackageOfRelationship RelationshipType = "PACKAGE_OF"
|
|
|
|
// AmendsRelationship is to be used when (current) SPDXRef-DOCUMENT amends the SPDX information in SPDXRef-B.
|
|
// Example: (Current) SPDX document A version 2 contains a correction to a previous version of the SPDX document A version 1. Note the reserved identifier SPDXRef-DOCUMENT for the current document is required.
|
|
AmendsRelationship RelationshipType = "AMENDS"
|
|
|
|
// PrerequisiteForRelationship is to be used when SPDXRef-A is a prerequisite for SPDXRef-B.
|
|
// Example: A library bar.dll is a prerequisite or dependency for APPLICATION foo.exe
|
|
PrerequisiteForRelationship RelationshipType = "PREREQUISITE_FOR"
|
|
|
|
// HasPrerequisiteRelationship is to be used when SPDXRef-A has as a prerequisite SPDXRef-B.
|
|
// Example: An APPLICATION foo.exe has prerequisite or dependency on bar.dll
|
|
HasPrerequisiteRelationship RelationshipType = "HAS_PREREQUISITE"
|
|
|
|
// OtherRelationship is to be used for a relationship which has not been defined in the formal SPDX specification. A description of the relationship should be included in the Relationship comments field.
|
|
OtherRelationship RelationshipType = "OTHER"
|
|
)
|