syft/internal/formats/spdx22json/model/document.go

package model

import "github.com/anchore/syft/syft/source"

// derived from:
// - https://spdx.github.io/spdx-spec/appendix-III-RDF-data-model-implementation-and-identifier-syntax/
// - https://github.com/spdx/spdx-spec/blob/v2.2/schemas/spdx-schema.json
// - https://github.com/spdx/spdx-spec/tree/v2.2/ontology

type Document struct {
	Element
	SPDXVersion string `json:"spdxVersion"`
	// One instance is required for each SPDX file produced. It provides the necessary information for forward
	// and backward compatibility for processing tools.
	CreationInfo CreationInfo `json:"creationInfo"`
	// SyftSourceData contains information about what is being described in this SPDX document (e.g. a container image, a directory, etc)
	SyftSourceData *source.Metadata `json:"syftSourceData,omitempty"`
	// 2.2: Data License; should be "CC0-1.0"
	// Cardinality: mandatory, one
	// License expression for dataLicense.  Compliance with the SPDX specification includes populating the SPDX
	// fields therein with data related to such fields (\"SPDX-Metadata\"). The SPDX specification contains numerous
	// fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without
	// opining on the lawfulness of \"database rights\" (in jurisdictions where applicable), such explanatory text
	// is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any
	// portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any
	// SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative
	// Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree
	// and acknowledge that the SPDX-Metadata is provided to you \"as-is\" and without any representations or
	// warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including
	// without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement,
	// or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not
	// discoverable, all to the greatest extent permissible under applicable law.
	DataLicense string `json:"dataLicense"`
	// Information about an external SPDX document reference including the checksum. This allows for verification of the external references.
	ExternalDocumentRefs []ExternalDocumentRef `json:"externalDocumentRefs,omitempty"`
	// Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.
	HasExtractedLicensingInfos []HasExtractedLicensingInfo `json:"hasExtractedLicensingInfos,omitempty"`
	// note: found in example documents from SPDX, but not in the JSON schema. See https://spdx.github.io/spdx-spec/2-document-creation-information/#25-spdx-document-namespace
	DocumentNamespace string `json:"documentNamespace"`
	// note: found in example documents from SPDX, but not in the JSON schema
	// DocumentDescribes []string  `json:"documentDescribes"`
	Packages []Package `json:"packages"`
	// Files referenced in the SPDX document
	Files []File `json:"files,omitempty"`
	// Snippets referenced in the SPDX document
	Snippets []Snippet `json:"snippets,omitempty"`
	// Relationships referenced in the SPDX document
	Relationships []Relationship `json:"relationships,omitempty"`
}