From 6b186f98744885b07cf039ad309ca756f13b32d4 Mon Sep 17 00:00:00 2001 From: Bo Anderson Date: Thu, 8 Aug 2024 02:20:03 +0100 Subject: [PATCH 1/2] Fix SBOM schema validation --- .github/workflows/schemas.yml | 91 + Library/Homebrew/data/schemas/sbom.json | 750 ++ .../data/schemas/sbom.spdx.schema.3.json | 7816 ----------------- Library/Homebrew/sbom.rb | 6 +- Library/Homebrew/test/sbom_spec.rb | 7 + 5 files changed, 851 insertions(+), 7819 deletions(-) create mode 100644 .github/workflows/schemas.yml create mode 100644 Library/Homebrew/data/schemas/sbom.json delete mode 100644 Library/Homebrew/data/schemas/sbom.spdx.schema.3.json diff --git a/.github/workflows/schemas.yml b/.github/workflows/schemas.yml new file mode 100644 index 0000000000000..8a3d2d5c023e2 --- /dev/null +++ b/.github/workflows/schemas.yml @@ -0,0 +1,91 @@ +name: Update schema data +on: + push: + paths: + - .github/workflows/schemas.yml + branches-ignore: + - master + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +permissions: + contents: read + +jobs: + spdx: + if: github.repository == 'Homebrew/brew' + runs-on: ubuntu-22.04 + steps: + - name: Set up Homebrew + id: set-up-homebrew + uses: Homebrew/actions/setup-homebrew@master + with: + core: false + cask: false + test-bot: false + + - name: Configure Git user + uses: Homebrew/actions/git-user-config@master + with: + username: BrewTestBot + + - name: Set up commit signing + uses: Homebrew/actions/setup-commit-signing@master + with: + signing_key: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY }} + + - name: Update schema data + id: update + env: + GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }} + HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }} + working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }} + run: | + git fetch origin + + BRANCH="schema-update" + echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT" + + if git ls-remote --exit-code --heads origin "${BRANCH}" + then + git checkout "${BRANCH}" + git checkout "Library/Homebrew/data/schemas" + else + git checkout --no-track -B "${BRANCH}" origin/master + fi + + # Intentionally tracking 2.3.x to match what we output in sbom.rb. 3.0 also doesn't have a JSON Schema. + # Note: this is a 2.3.1 development branch - not a 2.3.1 tag. It contains bugfixes compared to 2.3.0. + curl --location --output Library/Homebrew/data/schemas/sbom.json https://raw.githubusercontent.com/spdx/spdx-spec/development/v2.3.1/schemas/spdx-schema.json + # https://github.com/spdx/spdx-spec/pull/1029 + sed -i -e 's|\(2019-09/schema\)#|\1|' Library/Homebrew/data/schemas/sbom.json + + if ! git diff --exit-code Library/Homebrew/data/schemas + then + git add "Library/Homebrew/data/schemas" + git commit -m "data/schemas: update schema data." -m "Autogenerated by [a scheduled GitHub Action](https://github.com/Homebrew/brew/blob/master/.github/workflows/schemas.yml)." + echo "committed=true" >> "$GITHUB_OUTPUT" + PULL_REQUEST_STATE="$(gh pr view --json=state | jq -r ".state")" + if [[ "${PULL_REQUEST_STATE}" != "OPEN" ]] + then + echo "pull_request=true" >> "$GITHUB_OUTPUT" + fi + fi + + - name: Push commits + if: steps.update.outputs.committed == 'true' + uses: Homebrew/actions/git-try-push@master + with: + token: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }} + directory: ${{ steps.set-up-homebrew.outputs.repository-path }} + branch: ${{ steps.update.outputs.branch }} + force: true + origin_branch: "master" + + - name: Open a pull request + if: steps.update.outputs.pull_request == 'true' + run: gh pr create --fill + env: + GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }} + working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }} diff --git a/Library/Homebrew/data/schemas/sbom.json b/Library/Homebrew/data/schemas/sbom.json new file mode 100644 index 0000000000000..a04cb525d59bb --- /dev/null +++ b/Library/Homebrew/data/schemas/sbom.json @@ -0,0 +1,750 @@ +{ + "$schema" : "https://json-schema.org/draft/2019-09/schema", + "$id" : "http://spdx.org/rdf/terms/2.3", + "title" : "SPDX 2.3", + "type" : "object", + "properties" : { + "$schema": { + "type": "string", + "description": "Reference the SPDX 2.3 JSON schema." + }, + "SPDXID" : { + "type" : "string", + "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." + }, + "annotations" : { + "description" : "Provide additional information about an SpdxElement.", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "annotationDate" : { + "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", + "type" : "string" + }, + "annotationType" : { + "description" : "Type of the annotation.", + "type" : "string", + "enum" : [ "OTHER", "REVIEW" ] + }, + "annotator" : { + "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", + "type" : "string" + }, + "comment" : { + "type" : "string" + } + }, + "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], + "additionalProperties" : false, + "description" : "An Annotation is a comment on an SpdxItem by an agent." + } + }, + "comment" : { + "type" : "string" + }, + "creationInfo" : { + "type" : "object", + "properties" : { + "comment" : { + "type" : "string" + }, + "created" : { + "description" : "Identify when the SPDX document was originally created. The date is to be specified according to combined date and time in UTC format as specified in ISO 8601 standard.", + "type" : "string" + }, + "creators" : { + "description" : "Identify who (or what, in the case of a tool) created the SPDX document. If the SPDX document was created by an individual, indicate the person's name. If the SPDX document was created on behalf of a company or organization, indicate the entity name. If the SPDX document was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", + "minItems" : 1, + "type" : "array", + "items" : { + "description" : "Identify who (or what, in the case of a tool) created the SPDX document. If the SPDX document was created by an individual, indicate the person's name. If the SPDX document was created on behalf of a company or organization, indicate the entity name. If the SPDX document was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", + "type" : "string" + } + }, + "licenseListVersion" : { + "description" : "An optional field for creators of the SPDX file to provide the version of the SPDX License List used when the SPDX file was created.", + "type" : "string" + } + }, + "required" : [ "created", "creators" ], + "additionalProperties" : false, + "description" : "One instance is required for each SPDX file produced. It provides the necessary information for forward and backward compatibility for processing tools." + }, + "dataLicense" : { + "description" : "License expression for dataLicense. See SPDX Annex D for the license expression syntax. Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields (\"SPDX-Metadata\"). The SPDX specification contains numerous fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of \"database rights\" (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you \"as-is\" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.", + "type" : "string" + }, + "externalDocumentRefs" : { + "description" : "Identify any external SPDX documents referenced within this SPDX document.", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "checksum" : { + "type" : "object", + "properties" : { + "algorithm" : { + "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", + "type" : "string", + "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] + }, + "checksumValue" : { + "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", + "type" : "string" + } + }, + "required" : [ "algorithm", "checksumValue" ], + "additionalProperties" : false, + "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." + }, + "externalDocumentId" : { + "description" : "externalDocumentId is a string containing letters, numbers, ., - and/or + which uniquely identifies an external document within this document.", + "type" : "string" + }, + "spdxDocument" : { + "description" : "SPDX ID for SpdxDocument. A property containing an SPDX document.", + "type" : "string" + } + }, + "required" : [ "checksum", "externalDocumentId", "spdxDocument" ], + "additionalProperties" : false, + "description" : "Information about an external SPDX document reference including the checksum. This allows for verification of the external references." + } + }, + "hasExtractedLicensingInfos" : { + "description" : "Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "comment" : { + "type" : "string" + }, + "crossRefs" : { + "description" : "Cross Reference Detail for a license SeeAlso URL", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "isLive" : { + "description" : "Indicate a URL is still a live accessible location on the public internet", + "type" : "boolean" + }, + "isValid" : { + "description" : "True if the URL is a valid well formed URL", + "type" : "boolean" + }, + "isWayBackLink" : { + "description" : "True if the License SeeAlso URL points to a Wayback archive", + "type" : "boolean" + }, + "match" : { + "description" : "Status of a License List SeeAlso URL reference if it refers to a website that matches the license text.", + "type" : "string" + }, + "order" : { + "description" : "The ordinal order of this element within a list", + "type" : "integer" + }, + "timestamp" : { + "description" : "Timestamp", + "type" : "string" + }, + "url" : { + "description" : "URL Reference", + "type" : "string" + } + }, + "required" : [ "url" ], + "additionalProperties" : false, + "description" : "Cross reference details for the a URL reference" + } + }, + "extractedText" : { + "description" : "Provide a copy of the actual text of the license reference extracted from the package, file or snippet that is associated with the License Identifier to aid in future analysis.", + "type" : "string" + }, + "licenseId" : { + "description" : "A human readable short form license identifier for a license. The license ID is either on the standard license list or the form \"LicenseRef-[idString]\" where [idString] is a unique string containing letters, numbers, \".\" or \"-\". When used within a license expression, the license ID can optionally include a reference to an external document in the form \"DocumentRef-[docrefIdString]:LicenseRef-[idString]\" where docRefIdString is an ID for an external document reference.", + "type" : "string" + }, + "name" : { + "description" : "Identify name of this SpdxElement.", + "type" : "string" + }, + "seeAlsos" : { + "type" : "array", + "items" : { + "type" : "string" + } + } + }, + "required" : [ "extractedText", "licenseId" ], + "additionalProperties" : false, + "description" : "An ExtractedLicensingInfo represents a license or licensing notice that was found in a package, file or snippet. Any license text that is recognized as a license may be represented as a License rather than an ExtractedLicensingInfo." + } + }, + "name" : { + "description" : "Identify name of this SpdxElement.", + "type" : "string" + }, + "revieweds" : { + "description" : "Reviewed", + "deprecated": true, + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "comment" : { + "type" : "string" + }, + "reviewDate" : { + "description" : "The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.", + "type" : "string" + }, + "reviewer" : { + "description" : "The name and, optionally, contact information of the person who performed the review. Values of this property must conform to the agent and tool syntax. The reviewer property is deprecated in favor of Annotation with an annotationType review.", + "type" : "string" + } + }, + "required" : [ "reviewDate" ], + "additionalProperties" : false, + "description" : "This class has been deprecated in favor of an Annotation with an Annotation type of review." + } + }, + "spdxVersion" : { + "description" : "Provide a reference number that can be used to understand how to parse and interpret the rest of the file. It will enable both future changes to the specification and to support backward compatibility. The version number consists of a major and minor version indicator. The major field will be incremented when incompatible changes between versions are made (one or more sections are created, modified or deleted). The minor field will be incremented when backwards compatible changes are made.", + "type" : "string" + }, + "documentNamespace" : { + "type" : "string", + "description" : "The URI provides an unambiguous mechanism for other SPDX documents to reference SPDX elements within this SPDX document." + }, + "documentDescribes" : { + "description" : "DEPRECATED: use relationships instead of this field. Packages, files and/or Snippets described by this SPDX document", + "deprecated": true, + "$comment": "This field has been deprecated as it is a duplicate of using the SPDXRef-DOCUMENT DESCRIBES relationship", + "type" : "array", + "items" : { + "type" : "string", + "description" : "SPDX ID for each Package, File, or Snippet." + } + }, + "packages" : { + "description" : "Packages referenced in the SPDX document", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "SPDXID" : { + "type" : "string", + "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." + }, + "annotations" : { + "description" : "Provide additional information about an SpdxElement.", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "annotationDate" : { + "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", + "type" : "string" + }, + "annotationType" : { + "description" : "Type of the annotation.", + "type" : "string", + "enum" : [ "OTHER", "REVIEW" ] + }, + "annotator" : { + "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", + "type" : "string" + }, + "comment" : { + "type" : "string" + } + }, + "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], + "additionalProperties" : false, + "description" : "An Annotation is a comment on an SpdxItem by an agent." + } + }, + "attributionTexts" : { + "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type" : "array", + "items" : { + "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type" : "string" + } + }, + "builtDate" : { + "description" : "This field provides a place for recording the actual date the package was built.", + "type" : "string" + }, + "checksums" : { + "description" : "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "algorithm" : { + "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", + "type" : "string", + "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] + }, + "checksumValue" : { + "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", + "type" : "string" + } + }, + "required" : [ "algorithm", "checksumValue" ], + "additionalProperties" : false, + "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." + } + }, + "comment" : { + "type" : "string" + }, + "copyrightText" : { + "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + }, + "description" : { + "description" : "Provides a detailed description of the package.", + "type" : "string" + }, + "downloadLocation" : { + "description" : "The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property. The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.", + "type" : "string" + }, + "externalRefs" : { + "description" : "An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package.", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "comment" : { + "type" : "string" + }, + "referenceCategory" : { + "description" : "Category for the external reference", + "type" : "string", + "enum" : [ "OTHER", "PERSISTENT-ID", "PERSISTENT_ID", "SECURITY", "PACKAGE-MANAGER", "PACKAGE_MANAGER" ] + }, + "referenceLocator" : { + "description" : "The unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location. The format of the locator is subject to constraints defined by the .", + "type" : "string" + }, + "referenceType" : { + "description" : "Type of the external reference. These are defined in an appendix in the SPDX specification.", + "type" : "string" + } + }, + "required" : [ "referenceCategory", "referenceLocator", "referenceType" ], + "additionalProperties" : false, + "description" : "An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package." + } + }, + "filesAnalyzed" : { + "description" : "Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If set to false, the package must not contain any files.", + "type" : "boolean" + }, + "hasFiles" : { + "description" : "DEPRECATED: use relationships instead of this field. Indicates that a particular file belongs to a package.", + "deprecated": true, + "$comment": "This field has been deprecated as it is a duplicate of using CONTAINS relationships from a package to files", + "type" : "array", + "items" : { + "description" : "SPDX ID for File. Indicates that a particular file belongs to a package.", + "type" : "string" + } + }, + "homepage" : { + "type" : "string" + }, + "licenseComments" : { + "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", + "type" : "string" + }, + "licenseConcluded" : { + "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + }, + "licenseDeclared" : { + "description" : "License expression for licenseDeclared. See SPDX Annex D for the license expression syntax. The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.", + "type" : "string" + }, + "licenseInfoFromFiles" : { + "description" : "The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.\n\nIf the licenseInfoFromFiles field is not present for a package and filesAnalyzed property for that same package is true or omitted, it implies an equivalent meaning to NOASSERTION.", + "type" : "array", + "items" : { + "description" : "License expression for licenseInfoFromFiles. See SPDX Annex D for the license expression syntax. The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.\n\nIf the licenseInfoFromFiles field is not present for a package and filesAnalyzed property for that same package is true or omitted, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + } + }, + "name" : { + "description" : "Identify name of this SpdxElement.", + "type" : "string" + }, + "originator" : { + "description" : "The name and, optionally, contact information of the person or organization that originally created the package. Values of this property must conform to the agent and tool syntax.", + "type" : "string" + }, + "packageFileName" : { + "description" : "The base name of the package file name. For example, zlib-1.2.5.tar.gz.", + "type" : "string" + }, + "packageVerificationCode" : { + "type" : "object", + "properties" : { + "packageVerificationCodeExcludedFiles" : { + "description" : "A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.", + "type" : "array", + "items" : { + "description" : "A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.", + "type" : "string" + } + }, + "packageVerificationCodeValue" : { + "description" : "The actual package verification code as a hex encoded value.", + "type" : "string" + } + }, + "required" : [ "packageVerificationCodeValue" ], + "additionalProperties" : false, + "description" : "A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the SPDX Item. This allows consumers of this data and/or database to determine if an SPDX item they have in hand is identical to the SPDX item from which the data was produced. This algorithm works even if the SPDX document is included in the SPDX item." + }, + "primaryPackagePurpose" : { + "description" : "This field provides information about the primary purpose of the identified package. Package Purpose is intrinsic to how the package is being used rather than the content of the package.", + "type" : "string", + "enum" : [ "OTHER", "INSTALL", "ARCHIVE", "FIRMWARE", "APPLICATION", "FRAMEWORK", "LIBRARY", "CONTAINER", "SOURCE", "DEVICE", "OPERATING_SYSTEM", "FILE" ] + }, + "releaseDate" : { + "description" : "This field provides a place for recording the date the package was released.", + "type" : "string" + }, + "sourceInfo" : { + "description" : "Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.", + "type" : "string" + }, + "summary" : { + "description" : "Provides a short description of the package.", + "type" : "string" + }, + "supplier" : { + "description" : "The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged. Values of this property must conform to the agent and tool syntax.", + "type" : "string" + }, + "validUntilDate" : { + "description" : "This field provides a place for recording the end of the support period for a package from the supplier.", + "type" : "string" + }, + "versionInfo" : { + "description" : "Provides an indication of the version of the package that is described by this SpdxDocument.", + "type" : "string" + } + }, + "required" : [ "SPDXID", "downloadLocation", "name" ], + "additionalProperties" : false + } + }, + "files" : { + "description" : "Files referenced in the SPDX document", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "SPDXID" : { + "type" : "string", + "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." + }, + "annotations" : { + "description" : "Provide additional information about an SpdxElement.", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "annotationDate" : { + "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", + "type" : "string" + }, + "annotationType" : { + "description" : "Type of the annotation.", + "type" : "string", + "enum" : [ "OTHER", "REVIEW" ] + }, + "annotator" : { + "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", + "type" : "string" + }, + "comment" : { + "type" : "string" + } + }, + "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], + "additionalProperties" : false, + "description" : "An Annotation is a comment on an SpdxItem by an agent." + } + }, + "artifactOfs" : { + "description" : "Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name properties and the URI (if one is known) of doap:Project resources that are values of this property. All other properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.", + "type" : "array", + "items" : { + "type" : "object" + } + }, + "attributionTexts" : { + "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type" : "array", + "items" : { + "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type" : "string" + } + }, + "checksums" : { + "description" : "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", + "minItems" : 1, + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "algorithm" : { + "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", + "type" : "string", + "enum" : [ "SHA1", "BLAKE3", "SHA3-384", "SHA256", "SHA384", "BLAKE2b-512", "BLAKE2b-256", "SHA3-512", "MD2", "ADLER32", "MD4", "SHA3-256", "BLAKE2b-384", "SHA512", "MD6", "MD5", "SHA224" ] + }, + "checksumValue" : { + "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", + "type" : "string" + } + }, + "required" : [ "algorithm", "checksumValue" ], + "additionalProperties" : false, + "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." + } + }, + "comment" : { + "type" : "string" + }, + "copyrightText" : { + "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + }, + "fileContributors" : { + "description" : "This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.", + "type" : "array", + "items" : { + "description" : "This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.", + "type" : "string" + } + }, + "fileDependencies" : { + "description" : "This field is deprecated since SPDX 2.0 in favor of using Section 7 which provides more granularity about relationships.", + "deprecated": true, + "type" : "array", + "items" : { + "description" : "SPDX ID for File. This field is deprecated since SPDX 2.0 in favor of using Section 7 which provides more granularity about relationships.", + "type" : "string" + } + }, + "fileName" : { + "description" : "The name of the file relative to the root of the package.", + "type" : "string" + }, + "fileTypes" : { + "description" : "The type of the file.", + "type" : "array", + "items" : { + "description" : "The type of the file.", + "type" : "string", + "enum" : [ "OTHER", "DOCUMENTATION", "IMAGE", "VIDEO", "ARCHIVE", "SPDX", "APPLICATION", "SOURCE", "BINARY", "TEXT", "AUDIO" ] + } + }, + "licenseComments" : { + "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", + "type" : "string" + }, + "licenseConcluded" : { + "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + }, + "licenseInfoInFiles" : { + "description" : "Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.\n\nIf the licenseInfoInFile field is not present for a file, it implies an equivalent meaning to NOASSERTION.", + "type" : "array", + "items" : { + "description" : "License expression for licenseInfoInFile. See SPDX Annex D for the license expression syntax. Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.\n\nIf the licenseInfoInFile field is not present for a file, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + } + }, + "noticeText" : { + "description" : "This field provides a place for the SPDX file creator to record potential legal notices found in the file. This may or may not include copyright statements.", + "type" : "string" + } + }, + "required" : [ "SPDXID", "checksums", "fileName" ], + "additionalProperties" : false + } + }, + "snippets" : { + "description" : "Snippets referenced in the SPDX document", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "SPDXID" : { + "type" : "string", + "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." + }, + "annotations" : { + "description" : "Provide additional information about an SpdxElement.", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "annotationDate" : { + "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", + "type" : "string" + }, + "annotationType" : { + "description" : "Type of the annotation.", + "type" : "string", + "enum" : [ "OTHER", "REVIEW" ] + }, + "annotator" : { + "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", + "type" : "string" + }, + "comment" : { + "type" : "string" + } + }, + "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], + "additionalProperties" : false, + "description" : "An Annotation is a comment on an SpdxItem by an agent." + } + }, + "attributionTexts" : { + "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type" : "array", + "items" : { + "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type" : "string" + } + }, + "comment" : { + "type" : "string" + }, + "copyrightText" : { + "description" : "The text of copyright declarations recited in the package, file or snippet.\n\nIf the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + }, + "licenseComments" : { + "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", + "type" : "string" + }, + "licenseConcluded" : { + "description" : "License expression for licenseConcluded. See SPDX Annex D for the license expression syntax. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.\n\nIf the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + }, + "licenseInfoInSnippets" : { + "description" : "Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.\n\nIf the licenseInfoInSnippet field is not present for a snippet, it implies an equivalent meaning to NOASSERTION.", + "type" : "array", + "items" : { + "description" : "License expression for licenseInfoInSnippet. See SPDX Annex D for the license expression syntax. Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.\n\nIf the licenseInfoInSnippet field is not present for a snippet, it implies an equivalent meaning to NOASSERTION.", + "type" : "string" + } + }, + "name" : { + "description" : "Identify name of this SpdxElement.", + "type" : "string" + }, + "ranges" : { + "description" : "This field defines the byte range in the original host file (in X.2) that the snippet information applies to", + "minItems" : 1, + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "endPointer" : { + "type" : "object", + "properties" : { + "reference" : { + "description" : "SPDX ID for File", + "type" : "string" + }, + "offset" : { + "type" : "integer", + "description" : "Byte offset in the file" + }, + "lineNumber" : { + "type" : "integer", + "description" : "line number offset in the file" + } + }, + "required" : [ "reference" ], + "additionalProperties" : false + }, + "startPointer" : { + "type" : "object", + "properties" : { + "reference" : { + "description" : "SPDX ID for File", + "type" : "string" + }, + "offset" : { + "type" : "integer", + "description" : "Byte offset in the file" + }, + "lineNumber" : { + "type" : "integer", + "description" : "line number offset in the file" + } + }, + "required" : [ "reference" ], + "additionalProperties" : false + } + }, + "required" : [ "endPointer", "startPointer" ], + "additionalProperties" : false + } + }, + "snippetFromFile" : { + "description" : "SPDX ID for File. File containing the SPDX element (e.g. the file contaning a snippet).", + "type" : "string" + } + }, + "required" : [ "SPDXID", "name", "ranges", "snippetFromFile" ], + "additionalProperties" : false + } + }, + "relationships" : { + "description" : "Relationships referenced in the SPDX document", + "type" : "array", + "items" : { + "type" : "object", + "properties" : { + "spdxElementId" : { + "type" : "string", + "description" : "Id to which the SPDX element is related" + }, + "comment" : { + "type" : "string" + }, + "relatedSpdxElement" : { + "description" : "SPDX ID for SpdxElement. A related SpdxElement.", + "type" : "string" + }, + "relationshipType" : { + "description" : "Describes the type of relationship between two SPDX elements.", + "type" : "string", + "enum" : [ "VARIANT_OF", "COPY_OF", "PATCH_FOR", "TEST_DEPENDENCY_OF", "CONTAINED_BY", "DATA_FILE_OF", "OPTIONAL_COMPONENT_OF", "ANCESTOR_OF", "GENERATES", "CONTAINS", "OPTIONAL_DEPENDENCY_OF", "FILE_ADDED", "REQUIREMENT_DESCRIPTION_FOR", "DEV_DEPENDENCY_OF", "DEPENDENCY_OF", "BUILD_DEPENDENCY_OF", "DESCRIBES", "PREREQUISITE_FOR", "HAS_PREREQUISITE", "PROVIDED_DEPENDENCY_OF", "DYNAMIC_LINK", "DESCRIBED_BY", "METAFILE_OF", "DEPENDENCY_MANIFEST_OF", "PATCH_APPLIED", "RUNTIME_DEPENDENCY_OF", "TEST_OF", "TEST_TOOL_OF", "DEPENDS_ON", "SPECIFICATION_FOR", "FILE_MODIFIED", "DISTRIBUTION_ARTIFACT", "AMENDS", "DOCUMENTATION_OF", "GENERATED_FROM", "STATIC_LINK", "OTHER", "BUILD_TOOL_OF", "TEST_CASE_OF", "PACKAGE_OF", "DESCENDANT_OF", "FILE_DELETED", "EXPANDED_FROM_ARCHIVE", "DEV_TOOL_OF", "EXAMPLE_OF" ] + } + }, + "required" : [ "spdxElementId", "relatedSpdxElement", "relationshipType" ], + "additionalProperties" : false + } + } + }, + "required" : [ "SPDXID", "creationInfo", "dataLicense", "name", "spdxVersion", "documentNamespace" ], + "additionalProperties" : false +} diff --git a/Library/Homebrew/data/schemas/sbom.spdx.schema.3.json b/Library/Homebrew/data/schemas/sbom.spdx.schema.3.json deleted file mode 100644 index a5d62849747bc..0000000000000 --- a/Library/Homebrew/data/schemas/sbom.spdx.schema.3.json +++ /dev/null @@ -1,7816 +0,0 @@ -{ - "@context": { - "ai": "https://spdx.org/rdf/v3/AI/", - "build": "https://spdx.org/rdf/v3/Build/", - "core": "https://spdx.org/rdf/v3/Core/", - "dataset": "https://spdx.org/rdf/v3/Dataset/", - "expandedlicensing": "https://spdx.org/rdf/v3/ExpandedLicensing/", - "licensing": "https://spdx.org/rdf/v3/Licensing/", - "lite": "https://spdx.org/rdf/v3/Lite/", - "ns0": "http://www.w3.org/2003/06/sw-vocab-status/ns#", - "owl": "http://www.w3.org/2002/07/owl#", - "rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#", - "rdfs": "http://www.w3.org/2000/01/rdf-schema#", - "security": "https://spdx.org/rdf/v3/Security/", - "sh": "http://www.w3.org/ns/shacl#", - "simplelicensing": "https://spdx.org/rdf/v3/SimpleLicensing/", - "software": "https://spdx.org/rdf/v3/Software/", - "xsd": "http://www.w3.org/2001/XMLSchema#" - }, - "@graph": [ - { - "@id": "security:probability", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The probability score between 0 and 1 (0 and 100%) estimating the likelihood of exploitation in the wild in the next 30 days (following score publication). [https://www.first.org/epss/data_stats](https://www.first.org/epss/data_stats)", - "rdfs:domain": { - "@id": "security:EpssVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "xsd:decimal" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasInputs", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/AnnotationType/review", - "@type": [ - "owl:NamedIndividual", - "core:AnnotationType" - ] - }, - { - "@id": "core:externalRef", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", - "rdfs:domain": { - "@id": "core:Element" - }, - "rdfs:range": { - "@id": "core:ExternalRef" - } - }, - { - "@id": "core:element", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field refers to one or more Elements that are part of an ElementCollection.", - "rdfs:domain": { - "@id": "core:ElementCollection" - }, - "rdfs:range": { - "@id": "core:Element" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/altWebPage", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:PresenceType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/PresenceType/noAssertion" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/PresenceType/yes" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/PresenceType/no" - } - ] - }, - "rdfs:comment": "This type is used to indicate if a given field is present or absent or unknown." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/simpleLicensing", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "core:IntegrityMethod", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An IntegrityMethod provides an independently reproducible mechanism that permits verification\nof a specific Element that correlates to the data in this SPDX document. This identifier enables\na recipient to determine if anything in the original Element has been changed and eliminates\nconfusion over which version or modification of a specific Element is referenced.", - "sh:property": { - "@id": "_:N423682b8705645b4aea03e4c2978bde1" - } - }, - { - "@id": "_:N423682b8705645b4aea03e4c2978bde1", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "comment", - "sh:path": { - "@id": "core:comment" - } - }, - { - "@id": "security:actionStatement", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "When an element is referenced with a VexAffectedVulnAssessmentRelationship,\nthe relationship MUST include one actionStatement that SHOULD describe actions\nto remediate or mitigate the vulnerability.", - "rdfs:domain": { - "@id": "security:VexAffectedVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "dataset:DatasetAvailabilityType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/registration" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/query" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/directDownload" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/scrapingScript" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/clickthrough" - } - ] - }, - "rdfs:comment": "Describes the possible types of availability of a dataset, indicating whether the dataset can be directly downloaded, can be assembled using a script for scraping the data, is only available after a clickthrough or a registration form." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/md5", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/deviceDriver", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType/high", - "@type": [ - "owl:NamedIndividual", - "ai:SafetyRiskAssessmentType" - ] - }, - { - "@id": "core:Hash", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A hash is a grouping of characteristics unique to the result\nof applying a mathematical algorithm\nthat maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is,\na function which is practically infeasible to invert.\nThis is commonly used for integrity checking of data.", - "rdfs:subClassOf": { - "@id": "core:IntegrityMethod" - }, - "sh:property": [ - { - "@id": "_:N268da2ddb2fe406582dbfc81c855b4f1" - }, - { - "@id": "_:Ne1b7af4702804bf2ae9b314ab420c0f7" - } - ] - }, - { - "@id": "_:N268da2ddb2fe406582dbfc81c855b4f1", - "sh:class": { - "@id": "core:HashAlgorithm" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "algorithm", - "sh:path": { - "@id": "core:algorithm" - } - }, - { - "@id": "_:Ne1b7af4702804bf2ae9b314ab420c0f7", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "hashValue", - "sh:path": { - "@id": "core:hashValue" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityOther", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "dataset:dataCollectionProcess", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "DataCollectionProcess describes how a dataset was collected.\nExamples include the sources from which a dataset was scrapped or\nthe interview protocol that was used for data collection.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:end", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "end is a positive integer that defines the end of a range.", - "rdfs:domain": { - "@id": "core:PositiveIntegerRange" - }, - "rdfs:range": { - "@id": "xsd:positiveInteger" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/high", - "@type": [ - "owl:NamedIndividual", - "security:CvssSeverityType" - ] - }, - { - "@id": "ai:sensitivePersonalInformation", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "SensitivePersonalInformation notes if sensitive personal information\nis used in the training or inference of the AI models.\nThis might include biometric data, addresses or other data that can be used to infer a person's identity.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "core:PresenceType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/requirement", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/dataset", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/falcon", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/source", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/timeseries", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/module", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "software:attributionText", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An attributionText for a software Package, File or Snippet provides a consumer\nof SPDX data with acknowledgement content, to assist redistributors of the\nPackage, File or Snippet with reproducing those acknowledgements.\n\nFor example, this field may include a statement that is required by a\nparticular license to be reproduced in end-user documentation, advertising\nmaterials, or another form.\n\nThis field may describe where, or in which contexts, the acknowledgements\nneed to be reproduced, but it is not required to do so. The SPDX data creator\nmay also explain elsewhere (such as in a licenseComment field) how they intend\nfor data in this field to be used.\n\nAn attributionText is is not meant to include the software Package, File or\nSnippet’s actual complete license text (see concludedLicense to identify the\ncorresponding license).", - "rdfs:domain": { - "@id": "software:SoftwareArtifact" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:CreationInfo", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "The CreationInfo provides information about who created the Element, and when and how it was created. \n\nThe dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", - "sh:property": [ - { - "@id": "_:Nbdc2549cc7774fa0b21417158cf66332" - }, - { - "@id": "_:Nd8e288acb2e24ed09cc4e254e0c8685e" - }, - { - "@id": "_:N483d982a21864d188f9aba75c1e31590" - }, - { - "@id": "_:Ndfdd555804ff487187ebf11dbcf61db3" - }, - { - "@id": "_:Naa6ff24a03b242848149bb6d83d7b6be" - } - ] - }, - { - "@id": "_:Nbdc2549cc7774fa0b21417158cf66332", - "sh:datatype": { - "@id": "core:SemVer" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "specVersion", - "sh:path": { - "@id": "core:specVersion" - } - }, - { - "@id": "_:Nd8e288acb2e24ed09cc4e254e0c8685e", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "comment", - "sh:path": { - "@id": "core:comment" - } - }, - { - "@id": "_:N483d982a21864d188f9aba75c1e31590", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "created", - "sh:path": { - "@id": "core:created" - } - }, - { - "@id": "_:Ndfdd555804ff487187ebf11dbcf61db3", - "sh:class": { - "@id": "core:Agent" - }, - "sh:minCount": 1, - "sh:name": "createdBy", - "sh:path": { - "@id": "core:createdBy" - } - }, - { - "@id": "_:Naa6ff24a03b242848149bb6d83d7b6be", - "sh:class": { - "@id": "core:Tool" - }, - "sh:name": "createdUsing", - "sh:path": { - "@id": "core:createdUsing" - } - }, - { - "@id": "security:statusNotes", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "TODO", - "rdfs:domain": { - "@id": "security:VexVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/build", - "@type": [ - "owl:NamedIndividual", - "software:SbomType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/vcs", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/affects", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/source", - "@type": [ - "owl:NamedIndividual", - "software:SbomType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/blake2b384", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "security:EpssVulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An EpssVulnAssessmentRelationship relationship describes the likelihood or probability that a vulnerability will be exploited in the wild using the Exploit Prediction Scoring System (EPSS) as defined at [https://www.first.org/epss/model](https://www.first.org/epss/model).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n- The probability must be between 0 and 1.\n- The percentile must be between 0 and 1.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"EpssVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:epss-CVE-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"probability\": 0.00105,\n \"percentile\": 0.42356,\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2023-10-05T00:00:30Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VulnAssessmentRelationship" - }, - "sh:property": [ - { - "@id": "_:N6403faa0e56e4528b5382afde794c676" - }, - { - "@id": "_:N1f8523eccc174362be6996902910e92c" - }, - { - "@id": "_:N01bdd46b9f944dba806f38b2a3200cde" - } - ] - }, - { - "@id": "_:N6403faa0e56e4528b5382afde794c676", - "sh:datatype": { - "@id": "xsd:decimal" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "probability", - "sh:path": { - "@id": "security:probability" - } - }, - { - "@id": "_:N1f8523eccc174362be6996902910e92c", - "sh:datatype": { - "@id": "xsd:decimal" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "percentile", - "sh:path": { - "@id": "security:percentile" - } - }, - { - "@id": "_:N01bdd46b9f944dba806f38b2a3200cde", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "publishedTime", - "sh:path": { - "@id": "security:publishedTime" - } - }, - { - "@id": "ai:autonomyType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "AutonomyType indicates if a human is involved in any of the decisions of the AI software\nor if that software is fully automatic.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "core:PresenceType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType/amber", - "@type": [ - "owl:NamedIndividual", - "dataset:ConfidentialityLevelType" - ] - }, - { - "@id": "security:VexJustificationType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/componentNotPresent" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/inlineMitigationsAlreadyExist" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/vulnerableCodeNotPresent" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/vulnerableCodeNotInExecutePath" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/vulnerableCodeCannotBeControlledByAdversary" - } - ] - }, - "rdfs:comment": "VexJustificationType specifies the type of Vulnerability Exploitability eXchange (VEX) justification." - }, - { - "@id": "core:ExternalIdentifier", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An ExternalIdentifier is a reference to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", - "sh:property": [ - { - "@id": "_:N0e1f08eb2fcb4aa3a9807a448262f5ab" - }, - { - "@id": "_:Nfa281351d9664b24b17413cf1c10cffc" - }, - { - "@id": "_:N5b82cbbfb8d34c5493ef1f4637b9ba09" - }, - { - "@id": "_:N46097d6288694117b1b269a84c946eaf" - }, - { - "@id": "_:N80a26c73f3a540cb916f5ff09b06b334" - } - ] - }, - { - "@id": "_:N0e1f08eb2fcb4aa3a9807a448262f5ab", - "sh:class": { - "@id": "core:ExternalIdentifierType" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "externalIdentifierType", - "sh:path": { - "@id": "core:externalIdentifierType" - } - }, - { - "@id": "_:Nfa281351d9664b24b17413cf1c10cffc", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "identifier", - "sh:path": { - "@id": "core:identifier" - } - }, - { - "@id": "_:N5b82cbbfb8d34c5493ef1f4637b9ba09", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "comment", - "sh:path": { - "@id": "core:comment" - } - }, - { - "@id": "_:N46097d6288694117b1b269a84c946eaf", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:name": "identifierLocator", - "sh:path": { - "@id": "core:identifierLocator" - } - }, - { - "@id": "_:N80a26c73f3a540cb916f5ff09b06b334", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:name": "issuingAuthority", - "sh:path": { - "@id": "core:issuingAuthority" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/dynamicAnalysisReport", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:Element", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An Element is a representation of a fundamental concept either directly inherent\nto the Bill of Materials (BOM) domain or indirectly related to the BOM domain\nand necessary for contextually characterizing BOM concepts and relationships.\nWithin SPDX-3.0 structure this is the base class acting as a consistent,\nunifying, and interoperable foundation for all explicit\nand inter-relatable content objects.", - "rdfs:subClassOf": { - "@id": "owl:Thing" - }, - "sh:property": [ - { - "@id": "_:N260c4e46886f444ab3a7049bc803b554" - }, - { - "@id": "_:N44a24d1d29b74020a6388b9ebdfce261" - }, - { - "@id": "_:N69afa43f949c4339a6bd25b78269a68a" - }, - { - "@id": "_:N929e6a8d354b40dd88168042a700da4c" - }, - { - "@id": "_:N2e692ad92ed54242a8aa3ecb57879233" - }, - { - "@id": "_:N06cda5602b0243e5bcd91116676fc7f2" - }, - { - "@id": "_:N07ebcba249b04d56a2eb463c94313350" - }, - { - "@id": "_:Nfd3439e44f57437c9eeb103bcd0910c3" - }, - { - "@id": "_:N833120c064fb411295caf14f92ea4575" - } - ] - }, - { - "@id": "_:N260c4e46886f444ab3a7049bc803b554", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "name", - "sh:path": { - "@id": "core:name" - } - }, - { - "@id": "_:N44a24d1d29b74020a6388b9ebdfce261", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "summary", - "sh:path": { - "@id": "core:summary" - } - }, - { - "@id": "_:N69afa43f949c4339a6bd25b78269a68a", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "description", - "sh:path": { - "@id": "core:description" - } - }, - { - "@id": "_:N929e6a8d354b40dd88168042a700da4c", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "comment", - "sh:path": { - "@id": "core:comment" - } - }, - { - "@id": "_:N2e692ad92ed54242a8aa3ecb57879233", - "sh:class": { - "@id": "core:CreationInfo" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "creationInfo", - "sh:path": { - "@id": "core:creationInfo" - } - }, - { - "@id": "_:N06cda5602b0243e5bcd91116676fc7f2", - "sh:class": { - "@id": "core:IntegrityMethod" - }, - "sh:name": "verifiedUsing", - "sh:path": { - "@id": "core:verifiedUsing" - } - }, - { - "@id": "_:N07ebcba249b04d56a2eb463c94313350", - "sh:class": { - "@id": "core:ExternalRef" - }, - "sh:name": "externalRef", - "sh:path": { - "@id": "core:externalRef" - } - }, - { - "@id": "_:Nfd3439e44f57437c9eeb103bcd0910c3", - "sh:class": { - "@id": "core:ExternalIdentifier" - }, - "sh:name": "externalIdentifier", - "sh:path": { - "@id": "core:externalIdentifier" - } - }, - { - "@id": "_:N833120c064fb411295caf14f92ea4575", - "sh:datatype": { - "@id": "core:Extension" - }, - "sh:name": "extension", - "sh:path": { - "@id": "core:extension" - } - }, - { - "@id": "expandedlicensing:ListedLicense", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A ListedLicense represents a License that is listed on the SPDX License List\nat https://spdx.org/licenses.", - "rdfs:subClassOf": { - "@id": "expandedlicensing:License" - }, - "sh:property": [ - { - "@id": "_:N47a5531c095640ea8dd73fa605a9d0f8" - }, - { - "@id": "_:N68b318e202ae4293935f17c7fdc119aa" - } - ] - }, - { - "@id": "_:N47a5531c095640ea8dd73fa605a9d0f8", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "listVersionAdded", - "sh:path": { - "@id": "expandedlicensing:listVersionAdded" - } - }, - { - "@id": "_:N68b318e202ae4293935f17c7fdc119aa", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "deprecatedVersion", - "sh:path": { - "@id": "expandedlicensing:deprecatedVersion" - } - }, - { - "@id": "software:contentType", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field is a reasonable estimation of the content type of the Element, from a creator perspective.\nContent type is intrinsic to the Element, independent of how the Element is being used.", - "rdfs:domain": { - "@id": "software:File" - }, - "rdfs:range": { - "@id": "core:MediaType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/exportControlAssessment", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDocumentation", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:suppliedBy", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Identify the actual distribution source for the artifact (e.g., snippet, file, package, vulnerability) or VulnAssessmentRelationship being referenced.\nThis might or might not be different from the originating distribution source for the artifact (e.g., snippet, file, package, vulnerability) or VulnAssessmentRelationship..", - "rdfs:domain": { - "@id": "core:Artifact" - }, - "rdfs:range": { - "@id": "core:Agent" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDeletedFile", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha1", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/development", - "@type": [ - "owl:NamedIndividual", - "core:LifecycleScopeType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasTest", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:DictionaryEntry", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) in SPDX. Each DictionaryEntry contains a key-value pair which maps the key to its associated value. To implement a dictionary, this class is to be used in a collection with unique keys.", - "sh:property": [ - { - "@id": "_:N70448216f24d4548b8c4507c1d739f0c" - }, - { - "@id": "_:Nd737b5d8af4246dfaf22b1350436f287" - } - ] - }, - { - "@id": "_:N70448216f24d4548b8c4507c1d739f0c", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "key", - "sh:path": { - "@id": "core:key" - } - }, - { - "@id": "_:Nd737b5d8af4246dfaf22b1350436f287", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "value", - "sh:path": { - "@id": "core:value" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/privacyAssessment", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/swid", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/other", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "core:standard", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Various standards may be relevant to useful to capture for specific artifacts.", - "rdfs:domain": { - "@id": "core:Artifact" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasOptionalDependency", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/delegatedTo", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:summary", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A summary is a short description of an Element. Here, the intent is to allow the Element creator to \nprovide concise information about the function or use of the Element.", - "rdfs:domain": { - "@id": "core:Element" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/runtime", - "@type": [ - "owl:NamedIndividual", - "software:SbomType" - ] - }, - { - "@id": "expandedlicensing:OrLaterOperator", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An OrLaterOperator indicates that this portion of the AnyLicenseInfo\nrepresents either (1) the specified version of the corresponding License, or\n(2) any later version of that License. It is represented in the SPDX License\nExpression Syntax by the `+` operator.\n\nIt is context-dependent, and unspecified by SPDX, as to what constitutes a\n\"later version\" of any particular License. Some Licenses may not be versioned,\nor may not have clearly-defined ordering for versions. The consumer of SPDX\ndata will need to determine for themselves what meaning to attribute to a\n\"later version\" operator for a particular License.", - "rdfs:subClassOf": { - "@id": "expandedlicensing:ExtendableLicense" - }, - "sh:property": { - "@id": "_:N72873450ba2a4b608f28315e00c48df3" - } - }, - { - "@id": "_:N72873450ba2a4b608f28315e00c48df3", - "sh:class": { - "@id": "expandedlicensing:License" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "subjectLicense", - "sh:path": { - "@id": "expandedlicensing:subjectLicense" - } - }, - { - "@id": "core:RelationshipType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDependencyManifest" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/copiedTo" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/configures" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDynamicLink" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/reportedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasInputs" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/expandsTo" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/modifiedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/republishedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/trainedOn" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/generates" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/foundBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDocumentation" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasMetadata" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/packagedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasProvidedDependency" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/descendantOf" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDeletedFile" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasOptionalComponent" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasOutputs" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/availableFrom" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/invokedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasAssociatedVulnerability" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDistributionArtifact" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasEvidence" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasTest" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/publishedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasVariant" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/testedOn" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/dependsOn" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/contains" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDataFile" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/usesTool" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/underInvestigationFor" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasTestCase" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/fixedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/coordinatedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasOptionalDependency" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/delegatedTo" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasConcludedLicense" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDeclaredLicense" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/doesNotAffect" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/amendedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/exploitCreatedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasExample" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasSpecification" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasStaticLink" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/patchedBy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasAssessmentFor" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/serializedInArtifact" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/ancestorOf" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasPrerequsite" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasRequirement" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasAddedFile" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasHost" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/affects" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/describes" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/other" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/fixedIn" - } - ] - }, - "rdfs:comment": "Provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.\n\nRelationship names be descriptive enough to easily deduce the correct direction\nfrom their name. The best way to do this is to make sure that the relationship\nname completes the sentence:\n\n`from` (is) (a) `RELATIONSHIP` `to`" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/container", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "expandedlicensing:CustomLicenseAddition", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A CustomLicenseAddition represents an addition to a License that is not listed\non the SPDX Exceptions List at https://spdx.org/licenses/exceptions-index.html,\nand is therefore defined by an SPDX data creator.\n\nIt is intended to represent additional language which is meant to be added to\na License, but which is not itself a standalone License.", - "rdfs:subClassOf": { - "@id": "expandedlicensing:LicenseAddition" - } - }, - { - "@id": "core:namespaceMap", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field provides a NamespaceMap of prefixes and associated namespace partial URIs applicable to an SpdxDocument and independent of any specific serialization format or instance.", - "rdfs:domain": { - "@id": "core:SpdxDocument" - }, - "rdfs:range": { - "@id": "core:NamespaceMap" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityPolicy", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "software:snippetFromFile", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The field identifies the file which contains the snippet.", - "rdfs:domain": { - "@id": "software:Snippet" - }, - "rdfs:range": { - "@id": "software:File" - } - }, - { - "@id": "ai:modelExplainability", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "ModelExplainability is a free form text that lists the different explainability mechanisms\n(such as SHAP, or other model specific explainability mechanisms) that can be used to explain the model.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:completeness", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Completeness gives information about whether the provided relationships are\ncomplete, known to be incomplete or if no assertion is made either way.", - "rdfs:domain": { - "@id": "core:Relationship" - }, - "rdfs:range": { - "@id": "core:RelationshipCompleteness" - } - }, - { - "@id": "build:Build", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A build is a representation of the process in which a piece of software or artifact is built. It encapsulates information related to a build process and\nprovides an element from which relationships can be created to describe the build's inputs, outputs, and related entities (e.g. builders, identities, etc.).\n\nDefinitions of \"buildType\", \"configSourceEntrypoint\", \"configSourceUri\", \"parameters\" and \"environment\" follow those defined in [SLSA provenance](https://slsa.dev/provenance/v0.2).\n\nExternalIdentifier of type \"urlScheme\" may be used to identify build logs. In this case, the comment of the ExternalIdentifier should be \"LogReference\".\n\nNote that buildStartTime and buildEndTime are optional, and may be omitted to simplify creating reproducible builds.", - "rdfs:subClassOf": { - "@id": "core:Element" - }, - "sh:property": [ - { - "@id": "_:Nb9ab42aadb8447299e110fe2b01c453e" - }, - { - "@id": "_:N61a9926695844ba6b7d6a633a3c99161" - }, - { - "@id": "_:N8ff6b3081bc84bc8bfcf04338ae91a00" - }, - { - "@id": "_:Ndc43b44b5cef43659f3a51ca81d5820a" - }, - { - "@id": "_:N09bc75f42e9c4836972149c9122da1ba" - }, - { - "@id": "_:Ne7b981df9e194fb2a95c1e94ccdd3b01" - }, - { - "@id": "_:N15a9c404de3341119c75715235f05245" - }, - { - "@id": "_:N1c06beb40074408983c0dca96d3711d2" - }, - { - "@id": "_:N2fa64578d7cd476786365529af33742c" - } - ] - }, - { - "@id": "_:Nb9ab42aadb8447299e110fe2b01c453e", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "buildType", - "sh:path": { - "@id": "build:buildType" - } - }, - { - "@id": "_:N61a9926695844ba6b7d6a633a3c99161", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "buildId", - "sh:path": { - "@id": "build:buildId" - } - }, - { - "@id": "_:N8ff6b3081bc84bc8bfcf04338ae91a00", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "configSourceEntrypoint", - "sh:path": { - "@id": "build:configSourceEntrypoint" - } - }, - { - "@id": "_:Ndc43b44b5cef43659f3a51ca81d5820a", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:name": "configSourceUri", - "sh:path": { - "@id": "build:configSourceUri" - } - }, - { - "@id": "_:N09bc75f42e9c4836972149c9122da1ba", - "sh:class": { - "@id": "core:Hash" - }, - "sh:name": "configSourceDigest", - "sh:path": { - "@id": "build:configSourceDigest" - } - }, - { - "@id": "_:Ne7b981df9e194fb2a95c1e94ccdd3b01", - "sh:class": { - "@id": "core:DictionaryEntry" - }, - "sh:name": "parameters", - "sh:path": { - "@id": "build:parameters" - } - }, - { - "@id": "_:N15a9c404de3341119c75715235f05245", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "buildStartTime", - "sh:path": { - "@id": "build:buildStartTime" - } - }, - { - "@id": "_:N1c06beb40074408983c0dca96d3711d2", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "buildEndTime", - "sh:path": { - "@id": "build:buildEndTime" - } - }, - { - "@id": "_:N2fa64578d7cd476786365529af33742c", - "sh:class": { - "@id": "core:DictionaryEntry" - }, - "sh:name": "environment", - "sh:path": { - "@id": "build:environment" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/platform", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/md6", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "ai:modelDataPreprocessing", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "ModelDataPreprocessing is a free form text that describes the preprocessing steps\napplied to the training data before training of the model(s) contained in the AI software.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/clickthrough", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetAvailabilityType" - ] - }, - { - "@id": "expandedlicensing:subjectAddition", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A subjectAddition is a LicenseAddition which is subject to a 'with additional\ntext' effect (WithAdditionOperator).", - "rdfs:domain": { - "@id": "expandedlicensing:WithAdditionOperator" - }, - "rdfs:range": { - "@id": "expandedlicensing:LicenseAddition" - } - }, - { - "@id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType/low", - "@type": [ - "owl:NamedIndividual", - "ai:SafetyRiskAssessmentType" - ] - }, - { - "@id": "core:dataLicense", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The data license provides the license under which the SPDX documentation of the Element can be used.\nThis is to alleviate any concern that content (the data or database) in an SPDX file\nis subject to any form of intellectual property right that could restrict the re-use\nof the information or the creation of another SPDX file for the same project(s).\nThis approach avoids intellectual property and related restrictions over the SPDX file,\nhowever individuals can still contract with each other to restrict release\nof specific collections of SPDX files (which map to software bill of materials)\nand the identification of the supplier of SPDX files.\nCompliance with this document includes populating the SPDX fields therein\nwith data related to such fields (\"SPDX-Metadata\"). \nThis document contains numerous fields where an SPDX file creator may provide\nrelevant explanatory text in SPDX-Metadata. Without opining on the lawfulness\nof \"database rights\" (in jurisdictions where applicable),\nsuch explanatory text is copyrightable subject matter in most Berne Convention countries.\nBy using the SPDX specification, or any portion hereof,\nyou hereby agree that any copyright rights (as determined by your jurisdiction)\nin any SPDX-Metadata, including without limitation explanatory text,\nshall be subject to the terms of the Creative Commons CC0 1.0 Universal license. \nFor SPDX-Metadata not containing any copyright rights, \nyou hereby agree and acknowledge that the SPDX-Metadata is provided to you \"as-is\"\nand without any representations or warranties of any kind concerning the SPDX-Metadata,\nexpress, implied, statutory or otherwise, including without limitation warranties\nof title, merchantability, fitness for a particular purpose, non-infringement,\nor the absence of latent or other defects, accuracy, or the presence or absence of errors,\nwhether or not discoverable, all to the greatest extent permissible under applicable law.", - "rdfs:domain": { - "@id": "core:SpdxDocument" - }, - "rdfs:range": { - "@id": "simplelicensing:AnyLicenseInfo" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/buildSystem", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/gitoid", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/image", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "ai:typeOfModel", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "TypeOfModel records the type of the AI model(s) used in the software. \nFor instance, if it is a supervised model, unsupervised model, reinforcement learning model or a combination of those.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/invokedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/crystalsKyber", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "dataset:datasetUpdateMechanism", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "DatasetUpdateMechanism describes a mechanism to update the dataset.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "build:buildStartTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "buildStartTime is the time at which a build is triggered. The builder typically records this value.", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType/trackStar", - "@type": [ - "owl:NamedIndividual", - "security:SsvcDecisionType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasVariant", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/publishedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "dataset:confidentialityLevel", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "ConfidentialityLevel describes the levels of confidentiality of the data points contained in the dataset.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "dataset:ConfidentialityLevelType" - } - }, - { - "@id": "core:endTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A endTime specifies the time from which element is no applicable / valid.", - "rdfs:domain": { - "@id": "core:Relationship" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType/clear", - "@type": [ - "owl:NamedIndividual", - "dataset:ConfidentialityLevelType" - ] - }, - { - "@id": "core:prefix", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A prefix is a substitute for a URI.", - "rdfs:domain": { - "@id": "core:NamespaceMap" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/staticAnalysisReport", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha256", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType/serious", - "@type": [ - "owl:NamedIndividual", - "ai:SafetyRiskAssessmentType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDeclaredLicense", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "expandedlicensing:seeAlso", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A seeAlso defines a cross-reference with a URL where the License or\nLicenseAddition can be found in use by one or a few projects.\n\nIf applicable, it should include a URL where the license text is posted by\nthe license steward, particularly if the license steward has made available a\n\"canonical\" primary URL for the license text.\n\nIf the license is OSI approved, a seeAlso should be included with the URL for\nthe license's listing on the OSI website.\n\nThe seeAlso URL may refer to a previously-available URL for the License or\nLicenseAddition which is no longer active.\n\nWhere applicable, the seeAlso URL should include the license text in its\nnative language. seeAlso URLs to English or other translations may be included\nwhere multiple, equivalent official translations exist.", - "rdfs:range": { - "@id": "xsd:anyURI" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N5046f5a4498045b89b80a828c2e1a35d" - } - ] - } - }, - { - "@id": "_:N5046f5a4498045b89b80a828c2e1a35d", - "rdfs:domain": [ - { - "@id": "expandedlicensing:LicenseAddition" - }, - { - "@id": "expandedlicensing:License" - } - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasSpecification", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:Tool", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A Tool is an element of hardware and/or software utilized to carry out a particular function.", - "rdfs:subClassOf": { - "@id": "core:Element" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/ancestorOf", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/vulnerableCodeNotPresent", - "@type": [ - "owl:NamedIndividual", - "security:VexJustificationType" - ] - }, - { - "@id": "core:Person", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A Person is an individual human being.", - "rdfs:subClassOf": { - "@id": "core:Agent" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Security/ExploitCatalogType/kev", - "@type": [ - "owl:NamedIndividual", - "security:ExploitCatalogType" - ] - }, - { - "@id": "software:byteRange", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field defines the byte range in the original host file that the snippet information applies to.\nA range of bytes is independent of various formatting concerns, and the most accurate way \nof referring to the differences. The choice was made to start the numbering of \nthe byte range at 1 to be consistent with the W3C pointer method vocabulary.", - "rdfs:domain": { - "@id": "software:Snippet" - }, - "rdfs:range": { - "@id": "core:PositiveIntegerRange" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityAdversaryModel", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "build:parameters", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "parameters is a key-value map of all build parameters and their values that were provided to the builder for a build instance. This is different from the [environment](environment.md) property in that the keys and values are provided as command line arguments or a configuration file to the builder.", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "core:DictionaryEntry" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/componentNotPresent", - "@type": [ - "owl:NamedIndividual", - "security:VexJustificationType" - ] - }, - { - "@id": "expandedlicensing:isOsiApproved", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "isOsiApproved specifies whether the [Open Source Initiative (OSI)](https://opensource.org)\nhas listed this License as \"approved\" in their list of OSI Approved Licenses,\nlocated at the time of this writing at https://opensource.org/licenses/.\n\nA value of \"true\" indicates that the license is in the list of licenses that OSI publishes as approved.\n\nA value of \"false\" indicates that the license is explicitly not in the corresponding list of OSI licenses (e.g., OSI has stated publicly that a license is not approved).\n\nIf the isOsiApproved field is not specified, the SPDX data creator makes no\nassertions about whether the License is approved by the OSI.", - "rdfs:domain": { - "@id": "expandedlicensing:License" - }, - "rdfs:range": { - "@id": "xsd:boolean" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/reportedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "dataset:intendedUse", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "IntendedUse describes what the given dataset should be used for.\nSome datasets are collected to be used only for particular purposes. \nFor example, medical data collected from a specific demography might only be applicable\nfor training machine learning models to make predictions for that demography.\nIn such a case, the intendedUse field would capture this information.\nSimilarly, if a dataset is collected for building a facial recognition model,\nthe intendedUse field would specify that.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "simplelicensing:licenseText", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A licenseText contains the plain text of the License or Addition,\nwithout templating or other similar markup.\n\nUsers of the licenseText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", - "rdfs:domain": { - "@id": "simplelicensing:SimpleLicensingText" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/blake2b512", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "core:profileConformance", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Describes a profile to which the creator of this ElementCollection intends to conform.\nThe profileConformance will apply to all Elements contained within the collection as well as the collection itself.\nConformance to a profile is defined by the additional restrictions documented in the profile specific documentation and schema files.\nUse of this property allows the creator of an ElementCollection to communicate to consumers their intent to adhere to the profile additional restrictions.\nThe profileConformance has a default value of core if no other profileConformance is specified since all ElementCollections and Element must adhere to the core profile.", - "rdfs:domain": { - "@id": "core:ElementCollection" - }, - "rdfs:range": { - "@id": "core:ProfileIdentifierType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha3_256", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/eolNotice", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha512", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "core:scope", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A scope is TODO", - "rdfs:domain": { - "@id": "core:LifecycleScopedRelationship" - }, - "rdfs:range": { - "@id": "core:LifecycleScopeType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/vulnerableCodeCannotBeControlledByAdversary", - "@type": [ - "owl:NamedIndividual", - "security:VexJustificationType" - ] - }, - { - "@id": "core:hashValue", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "HashValue is the result of applying a hash algorithm to an Element.", - "rdfs:domain": { - "@id": "core:Hash" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/email", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "expandedlicensing:licenseComment", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A licenseComment describes general factual information about the License. It\nshould not contain information (or links to information) that includes any kind\nof interpretation about the meaning or effect of the License, even if written\nby the license's author.\n\nExamples of information for a licenseComment may include the following:\n\n* If the License's identifier is deprecated, it may briefly explain the reason\n for deprecation.\n* It may include the date of release, if identified, for Licenses with multiple\n versions.\n* It may include links to other official language translations for the License.\n* For LicenseAdditions, it may include a reference to the License(s) with\n which this additional text is typically used.", - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "expandedlicensing:ExtendableLicense", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "The WithAdditionOperator can have a License or an OrLaterOperator as the license property value. This class is used for the value.", - "rdfs:subClassOf": { - "@id": "simplelicensing:AnyLicenseInfo" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasPrerequsite", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasAddedFile", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/low", - "@type": [ - "owl:NamedIndividual", - "security:CvssSeverityType" - ] - }, - { - "@id": "build:configSourceEntrypoint", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A build entrypoint is the invoked executable of a build which always runs when the build is triggered. For example, when a build is triggered by running a shell script, the entrypoint is `script.sh`. In terms of a declared build, the entrypoint is the position in a configuration file or a build declaration which is always run when the build is triggered. For example, in the following configuration file, the entrypoint of the build is `publish`.\n\n```\nname: Publish packages to PyPI\n\non:\ncreate:\ntags: \"*\"\n\njobs:\npublish:\nruns-on: ubuntu-latest\nif: startsWith(github.ref, 'refs/tags/')\nsteps:\n\n...\n```", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/directDownload", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetAvailabilityType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/install", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "simplelicensing:licenseExpression", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", - "rdfs:domain": { - "@id": "simplelicensing:LicenseExpression" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/documentation", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasAssociatedVulnerability", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/other", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/cpe23", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "ai:domain", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Domain describes the domain in which the AI model contained in the AI software\ncan be expected to operate successfully. Examples include computer vision, natural language etc.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "expandedlicensing:ConjunctiveLicenseSet", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A ConjunctiveLicenseSet indicates that _each_ of its subsidiary\nAnyLicenseInfos apply. In other words, a ConjunctiveLicenseSet of two or\nmore licenses represents a licensing situation where _all_ of the specified\nlicenses are to be complied with. It is represented in the SPDX License\nExpression Syntax by the `AND` operator.\n\nIt is syntactically correct to specify a ConjunctiveLicenseSet where the\nsubsidiary AnyLicenseInfos may be \"incompatible\" according to a particular\ninterpretation of the corresponding Licenses. The SPDX License Expression\nSyntax does not take into account interpretation of license texts, which is\nleft to the consumer of SPDX data to determine for themselves.", - "rdfs:subClassOf": { - "@id": "simplelicensing:AnyLicenseInfo" - }, - "sh:property": { - "@id": "_:Nd5c7e642e6534db887817eee0d6a26f4" - } - }, - { - "@id": "_:Nd5c7e642e6534db887817eee0d6a26f4", - "sh:class": { - "@id": "simplelicensing:AnyLicenseInfo" - }, - "sh:minCount": 2, - "sh:name": "member", - "sh:path": { - "@id": "expandedlicensing:member" - } - }, - { - "@id": "expandedlicensing:licenseName", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A licenseName contains the full name of a License, preferably using the title found\nin the applicable license text or file, or as otherwise specified by the\nLicense's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the License from other Licenses.", - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sphincsPlus", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha3_224", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType/green", - "@type": [ - "owl:NamedIndividual", - "dataset:ConfidentialityLevelType" - ] - }, - { - "@id": "core:Relationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A Relationship is a grouping of characteristics unique to an assertion\nthat one Element is related to one or more other Elements in some way.", - "rdfs:subClassOf": { - "@id": "core:Element" - }, - "sh:property": [ - { - "@id": "_:N6690480a03914c8ab1b816297ff313e9" - }, - { - "@id": "_:Nbb69dc1ec52f45dd89dcb8d945cb7d9e" - }, - { - "@id": "_:Nfe5b2e70360044228aa21e66a58dd740" - }, - { - "@id": "_:N2d3b00128f9f4c0db3be772324038578" - }, - { - "@id": "_:N290ec849221347cba48daa80b53b96be" - }, - { - "@id": "_:Ndbd20f5e3e2f443f976c713cc476d11f" - } - ] - }, - { - "@id": "_:N6690480a03914c8ab1b816297ff313e9", - "sh:class": { - "@id": "core:Element" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "from", - "sh:path": { - "@id": "core:from" - } - }, - { - "@id": "_:Nbb69dc1ec52f45dd89dcb8d945cb7d9e", - "sh:class": { - "@id": "core:Element" - }, - "sh:name": "to", - "sh:path": { - "@id": "core:to" - } - }, - { - "@id": "_:Nfe5b2e70360044228aa21e66a58dd740", - "sh:class": { - "@id": "core:RelationshipType" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "relationshipType", - "sh:path": { - "@id": "core:relationshipType" - } - }, - { - "@id": "_:N2d3b00128f9f4c0db3be772324038578", - "sh:class": { - "@id": "core:RelationshipCompleteness" - }, - "sh:maxCount": 1, - "sh:name": "completeness", - "sh:path": { - "@id": "core:completeness" - } - }, - { - "@id": "_:N290ec849221347cba48daa80b53b96be", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "startTime", - "sh:path": { - "@id": "core:startTime" - } - }, - { - "@id": "_:Ndbd20f5e3e2f443f976c713cc476d11f", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "endTime", - "sh:path": { - "@id": "core:endTime" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/none", - "@type": [ - "owl:NamedIndividual", - "security:CvssSeverityType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/fixedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/riskAssessment", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:to", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field references an Element on the right-hand side of a relationship.", - "rdfs:domain": { - "@id": "core:Relationship" - }, - "rdfs:range": { - "@id": "core:Element" - } - }, - { - "@id": "software:SbomType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/runtime" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/design" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/build" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/deployed" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/source" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/analyzed" - } - ] - }, - "rdfs:comment": "The set of SBOM types with definitions as defined in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf), published on April 21, 2023. \nAn SBOM type describes the most likely type of an SBOM from the producer perspective, so that consumers can draw conclusions about the data inside an SBOM. A single SBOM can have multiple SBOM document types associated with it." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/vulnerabilityDisclosureReport", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/categorical", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/nuget", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:PositiveIntegerRange", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "PositiveIntegerRange is a tuple of two positive integers that define a range.\n\"begin\" must be less than or equal to \"end\".", - "rdfs:subClassOf": { - "@id": "owl:Thing" - }, - "sh:property": [ - { - "@id": "_:Na34508e8731c4919899a073ef9888845" - }, - { - "@id": "_:Ncd4ef72ddec347b889891a96b850cc55" - } - ] - }, - { - "@id": "_:Na34508e8731c4919899a073ef9888845", - "sh:datatype": { - "@id": "xsd:positiveInteger" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "begin", - "sh:path": { - "@id": "core:begin" - } - }, - { - "@id": "_:Ncd4ef72ddec347b889891a96b850cc55", - "sh:datatype": { - "@id": "xsd:positiveInteger" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "end", - "sh:path": { - "@id": "core:end" - } - }, - { - "@id": "ai:informationAboutApplication", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "InformationAboutApplication describes any relevant information in free form text about \nhow the AI model is used inside the software, as well as any relevant pre-processing steps, third party APIs etc.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityAdvisory", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:Agent", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "The Agent class represents anything that has the potential to act on a system. This could be a person, organization, software agent, etc. This is not to be confused with tools that are used to perform tasks.", - "rdfs:subClassOf": { - "@id": "core:Element" - } - }, - { - "@id": "core:description", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field is a detailed description of the Element. It may also be extracted from the Element itself.\nThe intent is to provide recipients of the SPDX file with a detailed technical explanation\nof the functionality, anticipated use, and anticipated implementation of the Element.\nThis field may also include a description of improvements over prior versions of the Element.", - "rdfs:domain": { - "@id": "core:Element" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "expandedlicensing:additionComment", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An additionComment for a LicenseAddition describes general factual information\nabout the LicenseAddition. It should not contain information (or links to\ninformation) that includes any kind of interpretation about the meaning or\neffect of the License, even if written by the license addition's author.\n\nExamples of information for an additionComment may include the following:\n\n* If the LicenseAddition's identifier is deprecated, it may briefly explain the\n reason for deprecation.\n* It may include the date of release, if identified, for LicenseAdditions with\n multiple versions.\n* It may include links to other official language translations for the\n LicenseAddition.\n* It may include a reference to the License(s) with which this LicenseAddition\n is typically used.", - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "expandedlicensing:LicenseAddition", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A LicenseAddition represents text which is intended to be added to a License\nas additional text, but which is not itself intended to be a standalone\nLicense.\n\nIt may be an exception which is listed on the SPDX Exceptions List\n(ListedLicenseException), or may be any other additional text (as an exception\nor otherwise) which is defined by an SPDX data creator (CustomLicenseAddition).", - "rdfs:subClassOf": { - "@id": "core:Element" - }, - "sh:property": [ - { - "@id": "_:Nc26776315a0943cfbef983a9398155ee" - }, - { - "@id": "_:N06df833c1b04488eba3e2a41073e4edf" - }, - { - "@id": "_:N5fad1bd4dec744d4bcb4496e9c5c7f95" - }, - { - "@id": "_:N58345a8a40d046eb86e7816fdd783ea8" - }, - { - "@id": "_:N4d22a1ffe3dc4c7697afb7f728b84421" - }, - { - "@id": "_:N37df85266eaa49878a5f6dce670bd213" - } - ] - }, - { - "@id": "_:Nc26776315a0943cfbef983a9398155ee", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "additionText", - "sh:path": { - "@id": "expandedlicensing:additionText" - } - }, - { - "@id": "_:N06df833c1b04488eba3e2a41073e4edf", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "standardAdditionTemplate", - "sh:path": { - "@id": "expandedlicensing:standardAdditionTemplate" - } - }, - { - "@id": "_:N5fad1bd4dec744d4bcb4496e9c5c7f95", - "sh:datatype": { - "@id": "xsd:boolean" - }, - "sh:maxCount": 1, - "sh:name": "isDeprecatedAdditionId", - "sh:path": { - "@id": "expandedlicensing:isDeprecatedAdditionId" - } - }, - { - "@id": "_:N58345a8a40d046eb86e7816fdd783ea8", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "obsoletedBy", - "sh:path": { - "@id": "expandedlicensing:obsoletedBy" - } - }, - { - "@id": "_:N4d22a1ffe3dc4c7697afb7f728b84421", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "licenseXml", - "sh:path": { - "@id": "expandedlicensing:licenseXml" - } - }, - { - "@id": "_:N37df85266eaa49878a5f6dce670bd213", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:name": "seeAlso", - "sh:path": { - "@id": "expandedlicensing:seeAlso" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType/act", - "@type": [ - "owl:NamedIndividual", - "security:SsvcDecisionType" - ] - }, - { - "@id": "ai:safetyRiskAssessment", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "SafetyRiskAssessment categorizes the safety risk impact of the AI software\nin accordance with Article 20 of [EC Regulation No 765/2008](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf).", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "ai:SafetyRiskAssessmentType" - } - }, - { - "@id": "core:ExternalMap", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An External Map is a map of Element identifiers that are used within a Document\nbut defined external to that Document.\nThe external map provides details about the externally-defined Element\nsuch as its provenance, where to retrieve it, and how to verify its integrity.", - "rdfs:subClassOf": { - "@id": "owl:Thing" - }, - "sh:property": [ - { - "@id": "_:N05b4340d14304693a571665421939caa" - }, - { - "@id": "_:N39d818afbf8a4fd59d828b3479aa7460" - }, - { - "@id": "_:N3e481a6978a346a891eb0d36d1a7c50a" - }, - { - "@id": "_:Ne50bf6f38fa2470bbd95fd971f451c0d" - } - ] - }, - { - "@id": "_:N05b4340d14304693a571665421939caa", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "externalSpdxId", - "sh:path": { - "@id": "core:externalSpdxId" - } - }, - { - "@id": "_:N39d818afbf8a4fd59d828b3479aa7460", - "sh:class": { - "@id": "core:IntegrityMethod" - }, - "sh:name": "verifiedUsing", - "sh:path": { - "@id": "core:verifiedUsing" - } - }, - { - "@id": "_:N3e481a6978a346a891eb0d36d1a7c50a", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:name": "locationHint", - "sh:path": { - "@id": "core:locationHint" - } - }, - { - "@id": "_:Ne50bf6f38fa2470bbd95fd971f451c0d", - "sh:class": { - "@id": "core:Artifact" - }, - "sh:maxCount": 1, - "sh:name": "definingArtifact", - "sh:path": { - "@id": "core:definingArtifact" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness/noAssertion", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipCompleteness" - ] - }, - { - "@id": "security:VexUnderInvestigationVulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "VexUnderInvestigationVulnAssessmentRelationship links a vulnerability to a\nnumber of products stating the vulnerability's impact on them is being\ninvestigated. It represents the VEX under_investigation status.\n\n**Constraints**\n\nWhen linking elements using a VexUnderInvestigationVulnAssessmentRelationship\nthe following requirements must be observed:\n\n- Elements linked with a VexUnderInvestigationVulnAssessmentRelationship are\nconstrained to using the underInvestigationFor relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexUnderInvestigationVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-underInvestigation-1\",\n \"relationshipType\": \"underInvestigationFor\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VexVulnAssessmentRelationship" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/trainedOn", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "expandedlicensing:member", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A member is a license expression participating in a conjunctive (of type\nConjunctiveLicenseSet) or a disjunctive (of type DisjunctiveLicenseSet)\nlicense set.", - "rdfs:range": { - "@id": "simplelicensing:AnyLicenseInfo" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N3e4d6d5aae244f419b8fae49c6ba0023" - } - ] - } - }, - { - "@id": "_:N3e4d6d5aae244f419b8fae49c6ba0023", - "rdfs:domain": [ - { - "@id": "expandedlicensing:ConjunctiveLicenseSet" - }, - { - "@id": "expandedlicensing:DisjunctiveLicenseSet" - } - ] - }, - { - "@id": "core:algorithm", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An algorithm specifies the algorithm that was used for calculating the hash value.", - "rdfs:domain": { - "@id": "core:Hash" - }, - "rdfs:range": { - "@id": "core:HashAlgorithm" - } - }, - { - "@id": "expandedlicensing:WithAdditionOperator", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A WithAdditionOperator indicates that the designated License is subject to the\ndesignated LicenseAddition, which might be a license exception on the SPDX\nExceptions List (ListedLicenseException) or may be other additional text\n(CustomLicenseAddition). It is represented in the SPDX License Expression\nSyntax by the `WITH` operator.", - "rdfs:subClassOf": { - "@id": "simplelicensing:AnyLicenseInfo" - }, - "sh:property": [ - { - "@id": "_:N8391625d65724d149249cffe251d9c71" - }, - { - "@id": "_:N17f6577c9e5d45f6827b4a2f479ad16d" - } - ] - }, - { - "@id": "_:N8391625d65724d149249cffe251d9c71", - "sh:class": { - "@id": "expandedlicensing:ExtendableLicense" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "subjectLicense", - "sh:path": { - "@id": "expandedlicensing:subjectLicense" - } - }, - { - "@id": "_:N17f6577c9e5d45f6827b4a2f479ad16d", - "sh:class": { - "@id": "expandedlicensing:LicenseAddition" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "subjectAddition", - "sh:path": { - "@id": "expandedlicensing:subjectAddition" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/testedOn", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "dataset:sensitivePersonalInformation", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "SensitivePersonalInformation indicates the presence of sensitive personal data\nor information that allows drawing conclusions about a person's identity.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "core:PresenceType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/build", - "@type": [ - "owl:NamedIndividual", - "core:LifecycleScopeType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/medium", - "@type": [ - "owl:NamedIndividual", - "security:CvssSeverityType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/releaseHistory", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/exploitCreatedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "ai:limitation", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Limitation captures a limitation of the AI Package (or of the AI models present in the AI package),\nexpressed as free form text. Note that this is not guaranteed to be exhaustive.\nFor instance, a limitation might be that the AI package cannot be used on datasets from a certain demography.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/license", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/structured", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/security", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/sourceArtifact", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/firmware", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "ai:SafetyRiskAssessmentType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType/serious" - }, - { - "@id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType/high" - }, - { - "@id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType/medium" - }, - { - "@id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType/low" - } - ] - }, - "rdfs:comment": "Lists the different safety risk type values that can be used to describe the safety risk of AI software\naccording to [Article 20 of Regulation 765/2008/EC](https://ec.europa.eu/docsroom/documents/17107/attachments/1/translations/en/renditions/pdf)." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/spdxPvcSha1", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/runtime", - "@type": [ - "owl:NamedIndividual", - "core:LifecycleScopeType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/PresenceType/no", - "@type": [ - "owl:NamedIndividual", - "core:PresenceType" - ] - }, - { - "@id": "software:packageVersion", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A packageVersion is useful for identification purposes and for indicating later changes of the package version.", - "rdfs:domain": { - "@id": "software:Package" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/framework", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "core:ExternalIdentifierType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/gitoid" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/packageUrl" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/email" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/swid" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/cpe22" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/swhid" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/securityOther" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/other" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/urlScheme" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/cve" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/cpe23" - } - ] - }, - "rdfs:comment": "ExteralIdentifierType specifies the type of an external identifier." - }, - { - "@id": "core:key", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A key used in generic a key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", - "rdfs:domain": { - "@id": "core:DictionaryEntry" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:externalRefType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An externalRefType specifies the type of the external reference.", - "rdfs:domain": { - "@id": "core:ExternalRef" - }, - "rdfs:range": { - "@id": "core:ExternalRefType" - } - }, - { - "@id": "core:locationHint", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A locationHint provides an indication of where to retrieve an external Element.", - "rdfs:domain": { - "@id": "core:ExternalMap" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha384", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasOptionalComponent", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/core", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "core:Organization", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An Organization is a group of people who work together in an organized way for a shared purpose.", - "rdfs:subClassOf": { - "@id": "core:Agent" - } - }, - { - "@id": "ai:hyperparameter", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field records a hyperparameter value.\nHyperparameters are parameters of the machine learning model that are used to control the learning process,\nfor example the optimization and learning rate used during the training of the model.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "core:DictionaryEntry" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/releaseNotes", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:LifecycleScopedRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "TODO", - "rdfs:subClassOf": { - "@id": "core:Relationship" - }, - "sh:property": { - "@id": "_:Nfdaf2e04a0fb4414ad9151bd75db9a78" - } - }, - { - "@id": "_:Nfdaf2e04a0fb4414ad9151bd75db9a78", - "sh:class": { - "@id": "core:LifecycleScopeType" - }, - "sh:maxCount": 1, - "sh:name": "scope", - "sh:path": { - "@id": "core:scope" - } - }, - { - "@id": "core:name", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field identifies the name of an Element as designated by the creator. \nThe name of an Element is an important convention and easier to refer to than the URI.", - "rdfs:domain": { - "@id": "core:Element" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/bower", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "ai:AIPackage", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "Metadata information that can be added to a package to describe an AI application or trained AI model.\nExternal property restriction on /Core/Artifact/suppliedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/Package/packageVersion: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1", - "rdfs:subClassOf": { - "@id": "software:Package" - }, - "sh:property": [ - { - "@id": "_:Nf893bfc0ab2841d1a9ead02877cc554b" - }, - { - "@id": "_:N27740f711578431cbfc416ed2f8ffbc1" - }, - { - "@id": "_:N2c8c29ded1574c4bb253fff07ce86001" - }, - { - "@id": "_:N4aaf14e27be6416591c6d23d708dac2f" - }, - { - "@id": "_:Nc1942b12fdee498791d99cc72f997208" - }, - { - "@id": "_:N52d7a67a9ddd40d88959fb3dcd85b255" - }, - { - "@id": "_:N32bfe49efd0a4591a8e6e1edf277c8a5" - }, - { - "@id": "_:N59cfa548cbc34eb381c08f76f0d13460" - }, - { - "@id": "_:N1f237c2a92d84fb2adb3a9c36d2a2fef" - }, - { - "@id": "_:N730cd9d4202740b5ac087ca23012b45c" - }, - { - "@id": "_:N23a7088846514cf687d38d29707c6c82" - }, - { - "@id": "_:Na9d1452a4dae4365a89a02e312eff0ce" - }, - { - "@id": "_:Nc8e9d45b32184f2a979912f9399104c5" - }, - { - "@id": "_:Ndfa35457d4d943058400d34a4c1cf94c" - }, - { - "@id": "_:N98fb44b3505646a89025a88a11c70a99" - } - ] - }, - { - "@id": "_:Nf893bfc0ab2841d1a9ead02877cc554b", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "energyConsumption", - "sh:path": { - "@id": "ai:energyConsumption" - } - }, - { - "@id": "_:N27740f711578431cbfc416ed2f8ffbc1", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "standardCompliance", - "sh:path": { - "@id": "ai:standardCompliance" - } - }, - { - "@id": "_:N2c8c29ded1574c4bb253fff07ce86001", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "limitation", - "sh:path": { - "@id": "ai:limitation" - } - }, - { - "@id": "_:N4aaf14e27be6416591c6d23d708dac2f", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "typeOfModel", - "sh:path": { - "@id": "ai:typeOfModel" - } - }, - { - "@id": "_:Nc1942b12fdee498791d99cc72f997208", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "informationAboutTraining", - "sh:path": { - "@id": "ai:informationAboutTraining" - } - }, - { - "@id": "_:N52d7a67a9ddd40d88959fb3dcd85b255", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "informationAboutApplication", - "sh:path": { - "@id": "ai:informationAboutApplication" - } - }, - { - "@id": "_:N32bfe49efd0a4591a8e6e1edf277c8a5", - "sh:class": { - "@id": "core:DictionaryEntry" - }, - "sh:name": "hyperparameter", - "sh:path": { - "@id": "ai:hyperparameter" - } - }, - { - "@id": "_:N59cfa548cbc34eb381c08f76f0d13460", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "modelDataPreprocessing", - "sh:path": { - "@id": "ai:modelDataPreprocessing" - } - }, - { - "@id": "_:N1f237c2a92d84fb2adb3a9c36d2a2fef", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "modelExplainability", - "sh:path": { - "@id": "ai:modelExplainability" - } - }, - { - "@id": "_:N730cd9d4202740b5ac087ca23012b45c", - "sh:class": { - "@id": "core:PresenceType" - }, - "sh:maxCount": 1, - "sh:name": "sensitivePersonalInformation", - "sh:path": { - "@id": "ai:sensitivePersonalInformation" - } - }, - { - "@id": "_:N23a7088846514cf687d38d29707c6c82", - "sh:class": { - "@id": "core:DictionaryEntry" - }, - "sh:name": "metricDecisionThreshold", - "sh:path": { - "@id": "ai:metricDecisionThreshold" - } - }, - { - "@id": "_:Na9d1452a4dae4365a89a02e312eff0ce", - "sh:class": { - "@id": "core:DictionaryEntry" - }, - "sh:name": "metric", - "sh:path": { - "@id": "ai:metric" - } - }, - { - "@id": "_:Nc8e9d45b32184f2a979912f9399104c5", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "domain", - "sh:path": { - "@id": "ai:domain" - } - }, - { - "@id": "_:Ndfa35457d4d943058400d34a4c1cf94c", - "sh:class": { - "@id": "core:PresenceType" - }, - "sh:maxCount": 1, - "sh:name": "autonomyType", - "sh:path": { - "@id": "ai:autonomyType" - } - }, - { - "@id": "_:N98fb44b3505646a89025a88a11c70a99", - "sh:class": { - "@id": "ai:SafetyRiskAssessmentType" - }, - "sh:maxCount": 1, - "sh:name": "safetyRiskAssessment", - "sh:path": { - "@id": "ai:safetyRiskAssessment" - } - }, - { - "@id": "dataset:datasetNoise", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "DatasetNoise describes what kinds of noises a dataset might encompass.\nThe field uses free form text to specify the fields or the samples that might be noisy.\nAlternatively, it can also be used to describe various noises that could impact the whole dataset.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:ElementCollection", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An ElementCollection is a collection of Elements, not necessarily with unifying context.\n\nNote that all ElementCollections must conform to the core profile even if the core profile is no specified in the profileConformance property.\nIf the profileConformance property is not provided, core is to be assumed as the default.\n\n**Constraints**\nIf the ElementCollection has at least 1 element, it must also have at least 1 rootElement.\n\nThe element must not be of type SpdxDocument.\n\nThe rootElement must not be of type SpdxDocument.", - "rdfs:subClassOf": { - "@id": "core:Element" - }, - "sh:property": [ - { - "@id": "_:N3e93930b60e74a36b7773d8b81f26f54" - }, - { - "@id": "_:N1fdba0dcd18f41e5af8c157308c61f2e" - }, - { - "@id": "_:N11346ce21db84d3faa3cf44025bd3c4f" - } - ] - }, - { - "@id": "_:N3e93930b60e74a36b7773d8b81f26f54", - "sh:class": { - "@id": "core:Element" - }, - "sh:name": "element", - "sh:path": { - "@id": "core:element" - } - }, - { - "@id": "_:N1fdba0dcd18f41e5af8c157308c61f2e", - "sh:class": { - "@id": "core:Element" - }, - "sh:name": "rootElement", - "sh:path": { - "@id": "core:rootElement" - } - }, - { - "@id": "_:N11346ce21db84d3faa3cf44025bd3c4f", - "sh:class": { - "@id": "core:ProfileIdentifierType" - }, - "sh:name": "profileConformance", - "sh:path": { - "@id": "core:profileConformance" - } - }, - { - "@id": "core:subject", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A subject is an Element an annotator has made an assertion about.", - "rdfs:domain": { - "@id": "core:Annotation" - }, - "rdfs:range": { - "@id": "core:Element" - } - }, - { - "@id": "core:extension", - "ns0:term_status": "Stable", - "rdfs:comment": "TODO", - "rdfs:domain": { - "@id": "core:Element" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityFix", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "software:lineRange", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field defines the line range in the original host file that the snippet information applies to.\nIf there is a disagreement between the byte range and line range, the byte range values will take precedence.\nA range of lines is a convenient reference for those files where there is a known line delimiter. \nThe choice was made to start the numbering of the lines at 1 to be consistent with the W3C pointer method vocabulary.", - "rdfs:domain": { - "@id": "software:Snippet" - }, - "rdfs:range": { - "@id": "core:PositiveIntegerRange" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasStaticLink", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "security:assessedElement", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Specifies subpackages, files or snippets referenced by a security assessment\nto specify the precise location where a vulnerability was found.", - "rdfs:domain": { - "@id": "security:VulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "core:Element" - } - }, - { - "@id": "expandedlicensing:standardLicenseHeader", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A standardLicenseHeader contains the plain text of the License author's\npreferred wording to be used, typically in a source code file's header\ncomments or similar location, to indicate that the file is subject to\nthe specified License.", - "rdfs:domain": { - "@id": "expandedlicensing:License" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasHost", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/describes", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:value", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A value used in a generic key-value pair.\nA key-value pair can be used to implement a dictionary which associates a key with a value.", - "rdfs:domain": { - "@id": "core:DictionaryEntry" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "security:vexVersion", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "TODO", - "rdfs:domain": { - "@id": "security:VexVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/configuration", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "expandedlicensing:DisjunctiveLicenseSet", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A DisjunctiveLicenseSet indicates that _only one_ of its subsidiary\nAnyLicenseInfos is required to apply. In other words, a\nDisjunctiveLicenseSet of two or more licenses represents a licensing\nsituation where _only one_ of the specified licenses are to be complied with.\nA consumer of SPDX data would typically understand this to permit the recipient\nof the licensed content to choose which of the corresponding license they\nwould prefer to use. It is represented in the SPDX License Expression Syntax\nby the `OR` operator.", - "rdfs:subClassOf": { - "@id": "simplelicensing:AnyLicenseInfo" - }, - "sh:property": { - "@id": "_:N20c39c1d37034dfd946ddf26fa4ee2c8" - } - }, - { - "@id": "_:N20c39c1d37034dfd946ddf26fa4ee2c8", - "sh:class": { - "@id": "simplelicensing:AnyLicenseInfo" - }, - "sh:minCount": 2, - "sh:name": "member", - "sh:path": { - "@id": "expandedlicensing:member" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/expandsTo", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:Bom", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A Bill Of Materials (BOM) is a container for a grouping of SPDX-3.0 content\ncharacterizing details about a product.\nThis could include details of the content and composition of the product,\nprovenence details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", - "rdfs:subClassOf": { - "@id": "core:Bundle" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/modifiedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "dataset:dataPreprocessing", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "DataPreprocessing describes the various preprocessing steps\nthat were applied to the raw data to create the dataset.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "security:ExploitCatalogType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Security/ExploitCatalogType/kev" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/ExploitCatalogType/other" - } - ] - }, - "rdfs:comment": "ExploitCatalogType specifies the type of exploit catalog that a vulnerability is listed in." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasOutputs", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:creationInfo", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "CreationInfo provides information about the creation of the Element.", - "rdfs:domain": { - "@id": "core:Element" - }, - "rdfs:range": { - "@id": "core:CreationInfo" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/library", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "ai:standardCompliance", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "StandardCompliance captures a standard that the AI software complies with. \nThis includes both published and unpublished standards, for example ISO, IEEE, ETSI etc. \nThe standard could (but not necessarily have to) be used to satisfy a legal or regulatory requirement.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:SoftwareAgent", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A SoftwareAgent is a software program that is given the authority (similar to a user's authority) to act on a system.", - "rdfs:subClassOf": { - "@id": "core:Agent" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha3_384", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "security:VulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "VulnAssessmentRelationship is the ancestor class common to all vulnerability\nassessment relationships. It factors out the common properties shared by them.\nExternal property restriction on /Core/Relationship/to: minCount: 1", - "rdfs:subClassOf": { - "@id": "core:Relationship" - }, - "sh:property": [ - { - "@id": "_:Na54753ce3f1144d390470107800859f8" - }, - { - "@id": "_:N6c6760ab8b7e4e4fa5619dcb5190ee19" - }, - { - "@id": "_:Na04828fc71354790b65e073db6244c9f" - }, - { - "@id": "_:N98fe1d2fedd54913a00a5b9c83bcfb25" - }, - { - "@id": "_:N428ce43ef191475f94435c271ae1ec47" - } - ] - }, - { - "@id": "_:Na54753ce3f1144d390470107800859f8", - "sh:class": { - "@id": "core:Element" - }, - "sh:maxCount": 1, - "sh:name": "assessedElement", - "sh:path": { - "@id": "security:assessedElement" - } - }, - { - "@id": "_:N6c6760ab8b7e4e4fa5619dcb5190ee19", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "publishedTime", - "sh:path": { - "@id": "security:publishedTime" - } - }, - { - "@id": "_:Na04828fc71354790b65e073db6244c9f", - "sh:class": { - "@id": "core:Agent" - }, - "sh:maxCount": 1, - "sh:name": "/Core/suppliedBy", - "sh:path": { - "@id": "core:suppliedBy" - } - }, - { - "@id": "_:N98fe1d2fedd54913a00a5b9c83bcfb25", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "modifiedTime", - "sh:path": { - "@id": "security:modifiedTime" - } - }, - { - "@id": "_:N428ce43ef191475f94435c271ae1ec47", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "withdrawnTime", - "sh:path": { - "@id": "security:withdrawnTime" - } - }, - { - "@id": "core:RelationshipCompleteness", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness/noAssertion" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness/incomplete" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness/complete" - } - ] - }, - "rdfs:comment": "RelationshipCompleteness indicates whether the provided relationship is known to be complete, known to be incomplete, or if no assertion is made by the relationship creator." - }, - { - "@id": "security:VexFixedVulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "VexFixedVulnAssessmentRelationship links a vulnerability to a number of elements\nrepresenting VEX products where a vulnerability has been fixed and are no longer\naffected. It represents the VEX fixed status.\n\n**Constraints**\n\nWhen linking elements using a VexFixedVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- Elements linked with a VulnVexFixedAssessmentRelationship are constrained to\nusing the fixedIn relationship type.\n- The from: end of the relationship must ve a /Security/Vulnerability classed\nelement.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexFixedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-fixed-in-1\",\n \"relationshipType\": \"fixedIn\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.4\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VexVulnAssessmentRelationship" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/contains", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "software:primaryPurpose", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "primaryPurpose provides information about the primary purpose of the software artifact.", - "rdfs:domain": { - "@id": "software:SoftwareArtifact" - }, - "rdfs:range": { - "@id": "software:SoftwarePurpose" - } - }, - { - "@id": "simplelicensing:licenseListVersion", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Recognizing that licenses are added to the SPDX License List with each subsequent version, the intent is to provide consumers with the version of the SPDX License List used. \nThis anticipates that in the future, license expression might have used a version of the SPDX License List that is older than the then current one.\nThe specified version of the SPDX License List must include all listed licenses and exceptions referenced in the expression.", - "rdfs:domain": { - "@id": "simplelicensing:LicenseExpression" - }, - "rdfs:range": { - "@id": "core:SemVer" - } - }, - { - "@id": "security:actionStatementTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "When a VEX statement communicates an affected status, the author MUST\ninclude an action statement with a recommended action to help mitigate the\nvulnerability's impact. The actionStatementTime property records the time\nwhen the action statement was first communicated.", - "rdfs:domain": { - "@id": "security:VexAffectedVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasRequirement", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "expandedlicensing:subjectLicense", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A subjectLicense is a License which is subject to either an 'or later' effect\n(OrLaterOperator) or a 'with additional text' effect (WithAdditionOperator).", - "rdfs:range": { - "@id": "expandedlicensing:License" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N2fb945d074e94c33b1dc3b9073f16cc8" - } - ] - } - }, - { - "@id": "_:N2fb945d074e94c33b1dc3b9073f16cc8", - "rdfs:domain": [ - { - "@id": "expandedlicensing:WithAdditionOperator" - }, - { - "@id": "expandedlicensing:OrLaterOperator" - } - ] - }, - { - "@id": "security:severity", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The severity field provides a human readable string of the resulting numerical CVSS score.", - "rdfs:range": { - "@id": "security:CvssSeverityType" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N22b8f31919f1454ca1f1ce846d5b289d" - } - ] - } - }, - { - "@id": "_:N22b8f31919f1454ca1f1ce846d5b289d", - "rdfs:domain": [ - { - "@id": "security:CvssV4VulnAssessmentRelationship" - }, - { - "@id": "security:CvssV3VulnAssessmentRelationship" - } - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness/complete", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipCompleteness" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/other", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/fixedIn", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasConcludedLicense", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "dataset:Dataset", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "Metadata information that can be added to a dataset that may be used in a software or to train/test an AI package.\nExternal property restriction on /Core/Artifact/originatedBy: minCount: 1\nExternal property restriction on /Software/Package/downloadLocation: minCount: 1\nExternal property restriction on /Software/SoftwareArtifact/primaryPurpose: minCount: 1\nExternal property restriction on /Core/Artifact/releaseTime: minCount: 1\nExternal property restriction on /Core/Artifact/builtTime: minCount: 1", - "rdfs:subClassOf": { - "@id": "software:Package" - }, - "sh:property": [ - { - "@id": "_:N62984c2608744b83b2b2abdf00b37c01" - }, - { - "@id": "_:N21fbee4eca5145b48e704db31d43e7f3" - }, - { - "@id": "_:Nd413b4d6e4fd46c9bdd6458f0c1f7641" - }, - { - "@id": "_:N077b68b7a5a74197beeef71d36360f27" - }, - { - "@id": "_:Nd10a3a71e0d14c81a54254bff1a7990c" - }, - { - "@id": "_:Nd6cc3f5e1144498c90861f286a6e078a" - }, - { - "@id": "_:N6f24087f09f845c38e81c05ac7217bc8" - }, - { - "@id": "_:N016dee4243d344dd89a5e05d8968798f" - }, - { - "@id": "_:Ndba6beb4bdd24eb6896bc95543f9e0b2" - }, - { - "@id": "_:Ne0191177e42c43379c779c6fa2102465" - }, - { - "@id": "_:Nbc8d947283c842d7b0227f7801eb6cfc" - }, - { - "@id": "_:N258532fce45d4375a7574befb62e5b93" - }, - { - "@id": "_:Ncd7bcd8eddd94bbf91fb7fcebe66d67a" - } - ] - }, - { - "@id": "_:N62984c2608744b83b2b2abdf00b37c01", - "sh:class": { - "@id": "dataset:DatasetType" - }, - "sh:minCount": 1, - "sh:name": "datasetType", - "sh:path": { - "@id": "dataset:datasetType" - } - }, - { - "@id": "_:N21fbee4eca5145b48e704db31d43e7f3", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "dataCollectionProcess", - "sh:path": { - "@id": "dataset:dataCollectionProcess" - } - }, - { - "@id": "_:Nd413b4d6e4fd46c9bdd6458f0c1f7641", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "intendedUse", - "sh:path": { - "@id": "dataset:intendedUse" - } - }, - { - "@id": "_:N077b68b7a5a74197beeef71d36360f27", - "sh:datatype": { - "@id": "xsd:nonNegativeInteger" - }, - "sh:maxCount": 1, - "sh:name": "datasetSize", - "sh:path": { - "@id": "dataset:datasetSize" - } - }, - { - "@id": "_:Nd10a3a71e0d14c81a54254bff1a7990c", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "datasetNoise", - "sh:path": { - "@id": "dataset:datasetNoise" - } - }, - { - "@id": "_:Nd6cc3f5e1144498c90861f286a6e078a", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "dataPreprocessing", - "sh:path": { - "@id": "dataset:dataPreprocessing" - } - }, - { - "@id": "_:N6f24087f09f845c38e81c05ac7217bc8", - "sh:class": { - "@id": "core:DictionaryEntry" - }, - "sh:name": "sensor", - "sh:path": { - "@id": "dataset:sensor" - } - }, - { - "@id": "_:N016dee4243d344dd89a5e05d8968798f", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "knownBias", - "sh:path": { - "@id": "dataset:knownBias" - } - }, - { - "@id": "_:Ndba6beb4bdd24eb6896bc95543f9e0b2", - "sh:class": { - "@id": "core:PresenceType" - }, - "sh:maxCount": 1, - "sh:name": "sensitivePersonalInformation", - "sh:path": { - "@id": "dataset:sensitivePersonalInformation" - } - }, - { - "@id": "_:Ne0191177e42c43379c779c6fa2102465", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "anonymizationMethodUsed", - "sh:path": { - "@id": "dataset:anonymizationMethodUsed" - } - }, - { - "@id": "_:Nbc8d947283c842d7b0227f7801eb6cfc", - "sh:class": { - "@id": "dataset:ConfidentialityLevelType" - }, - "sh:maxCount": 1, - "sh:name": "confidentialityLevel", - "sh:path": { - "@id": "dataset:confidentialityLevel" - } - }, - { - "@id": "_:N258532fce45d4375a7574befb62e5b93", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "datasetUpdateMechanism", - "sh:path": { - "@id": "dataset:datasetUpdateMechanism" - } - }, - { - "@id": "_:Ncd7bcd8eddd94bbf91fb7fcebe66d67a", - "sh:class": { - "@id": "dataset:DatasetAvailabilityType" - }, - "sh:maxCount": 1, - "sh:name": "datasetAvailability", - "sh:path": { - "@id": "dataset:datasetAvailability" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDynamicLink", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "security:ExploitCatalogVulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An ExploitCatalogVulnAssessmentRelationship describes if a vulnerability is\nlisted in any exploit catalog such as the CISA Known Exploited Vulnerabilities\nCatalog (KEV) \n[https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"ExploitCatalogVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:exploit-catalog-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"catalogType\": \"kev\",\n \"locator\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog\",\n \"exploited\": \"true\",\n \"from\": \"urn:spdx.dev:vuln-cve-2023-2136\",\n \"to\": [\"urn:product-google-chrome-112.0.5615.136\"],\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VulnAssessmentRelationship" - }, - "sh:property": [ - { - "@id": "_:Ne4759dce053d4b9194627959157d3428" - }, - { - "@id": "_:Nf70854a6eaca407180804a095f09749f" - }, - { - "@id": "_:N14953d8d7f5246cb9464406158e13399" - } - ] - }, - { - "@id": "_:Ne4759dce053d4b9194627959157d3428", - "sh:class": { - "@id": "security:ExploitCatalogType" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "catalogType", - "sh:path": { - "@id": "security:catalogType" - } - }, - { - "@id": "_:Nf70854a6eaca407180804a095f09749f", - "sh:datatype": { - "@id": "xsd:boolean" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "exploited", - "sh:path": { - "@id": "security:exploited" - } - }, - { - "@id": "_:N14953d8d7f5246cb9464406158e13399", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "locator", - "sh:path": { - "@id": "security:locator" - } - }, - { - "@id": "build:buildId", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A buildId is a locally unique identifier to identify a unique instance of a build. This identifier differs based on build toolchain, platform, or naming convention used by an organization or standard.", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/republishedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/analyzed", - "@type": [ - "owl:NamedIndividual", - "software:SbomType" - ] - }, - { - "@id": "core:issuingAuthority", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An issuingAuthority is an entity that is authorized to issue identification credentials.\n\nThe entity may be a government, non-profit, educational institution, or commercial enterprise. The URI provides a unique identifier for the issuing authority.", - "rdfs:domain": { - "@id": "core:ExternalIdentifier" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/graph", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasProvidedDependency", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "software:homePage", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "HomePage is a place for the SPDX document creator to record a website that serves as the package's home page.\nThis saves the recipient of the SPDX document who is looking for more info from\nhaving to search for and verify a match between the package and the associated project home page.\nThis link can also be used to reference further information about the package\nreferenced by the SPDX document creator.", - "rdfs:domain": { - "@id": "software:Package" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "security:locator", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A locator provides the location of an exploit catalog.", - "rdfs:domain": { - "@id": "security:ExploitCatalogVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDistributionArtifact", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:annotationType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An annotationType describes the type of an annotation.", - "rdfs:domain": { - "@id": "core:Annotation" - }, - "rdfs:range": { - "@id": "core:AnnotationType" - } - }, - { - "@id": "core:externalIdentifier", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "ExternalIdentifier points to a resource outside the scope of SPDX-3.0 content\nthat uniquely identifies an Element.", - "rdfs:domain": { - "@id": "core:Element" - }, - "rdfs:range": { - "@id": "core:ExternalIdentifier" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/design", - "@type": [ - "owl:NamedIndividual", - "core:LifecycleScopeType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/spdxPvcSha256", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/critical", - "@type": [ - "owl:NamedIndividual", - "security:CvssSeverityType" - ] - }, - { - "@id": "core:validUntilTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A validUntilTime specifies until when the artifact can be used before its usage needs to be reassessed.", - "rdfs:domain": { - "@id": "core:Artifact" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "expandedlicensing:standardAdditionTemplate", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A standardAdditionTemplate contains a license addition template which describes\nsections of the LicenseAddition text which can be varied. See the Legacy Text\nTemplate format section of the SPDX specification for format information.", - "rdfs:domain": { - "@id": "expandedlicensing:LicenseAddition" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:createdUsing", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "CreatedUsing identifies the tooling that was used during the creation of the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", - "rdfs:domain": { - "@id": "core:CreationInfo" - }, - "rdfs:range": { - "@id": "core:Tool" - } - }, - { - "@id": "core:statement", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A statement is a commentary on an assertion that an annotator has made.", - "rdfs:domain": { - "@id": "core:Annotation" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "build:environment", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "environment is a map of environment variables and values that are set during a build session. This is different from the [parameters](parameters.md) property in that it describes the environment variables set before a build is invoked rather than the variables provided to the builder.", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "core:DictionaryEntry" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDependencyManifest", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "expandedlicensing:additionName", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An additionName contains the full name of a LicenseAddition, preferably using\nthe title found in the applicable license addition text or file, or as\notherwise specified by the LicenseAddition's author or steward.\n\nWhen no such title is specified, using a name from another well-known source or list\nof licenses additions (such as OSI or Fedora) is suggested.\n\nIf no official or common name is known, any name may be used to aid in\ndistinguishing the LicenseAddition from other LicenseAdditions.", - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "expandedlicensing:ListedLicenseException", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A ListedLicenseException represents an exception to a License (in other words,\nan exception to a license condition or an additional permission beyond those\ngranted in a License) which is listed on the SPDX Exceptions List at\nhttps://spdx.org/licenses/exceptions-index.html.", - "rdfs:subClassOf": { - "@id": "expandedlicensing:LicenseAddition" - }, - "sh:property": [ - { - "@id": "_:N24d47156e80548aa9748628df5a23866" - }, - { - "@id": "_:N5f06d3f7d93d4777bed69f731645569b" - } - ] - }, - { - "@id": "_:N24d47156e80548aa9748628df5a23866", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "listVersionAdded", - "sh:path": { - "@id": "expandedlicensing:listVersionAdded" - } - }, - { - "@id": "_:N5f06d3f7d93d4777bed69f731645569b", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "deprecatedVersion", - "sh:path": { - "@id": "expandedlicensing:deprecatedVersion" - } - }, - { - "@id": "security:SsvcVulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An SsvcVulnAssessmentRelationship describes the decision made using the\nStakeholder-Specific Vulnerability Categorization (SSVC) decision tree as\ndefined on [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc).\nIt is intended to communicate the results of using the CISA SSVC Calculator.\n\n**Constraints**\n\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"SsvcVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:ssvc-1\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"decisionType\": \"act\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VulnAssessmentRelationship" - }, - "sh:property": { - "@id": "_:Nef0280bfebea4279af886e4b411fc6f9" - } - }, - { - "@id": "_:Nef0280bfebea4279af886e4b411fc6f9", - "sh:class": { - "@id": "security:SsvcDecisionType" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "decisionType", - "sh:path": { - "@id": "security:decisionType" - } - }, - { - "@id": "software:downloadLocation", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "DownloadLocation identifies the download Uniform Resource Identifier \nfor the package at the time that the document was created.\nWhere and how to download the exact package being referenced \nis critical for verification and tracking data.", - "rdfs:domain": { - "@id": "software:Package" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/patch", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/inlineMitigationsAlreadyExist", - "@type": [ - "owl:NamedIndividual", - "security:VexJustificationType" - ] - }, - { - "@id": "simplelicensing:AnyLicenseInfo", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An AnyLicenseInfo is used by licensing properties of software artifacts.\nIt can be a NoneLicense, a NoAssertionLicense,\nsingle license (either on the SPDX License List or a custom-defined license);\na single license with an \"or later\" operator applied; the foregoing with\nadditional text applied; or a set of licenses combined by applying \"AND\" and\n\"OR\" operators recursively.", - "rdfs:subClassOf": { - "@id": "core:Element" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/sensor", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/secureSoftwareAttestation", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/issueTracker", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:createdBy", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "CreatedBy identifies who or what created the Element.\nThe generation method will assist the recipient of the Element in assessing\nthe general reliability/accuracy of the analysis information.", - "rdfs:domain": { - "@id": "core:CreationInfo" - }, - "rdfs:range": { - "@id": "core:Agent" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/generates", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType/track", - "@type": [ - "owl:NamedIndividual", - "security:SsvcDecisionType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/md4", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "core:imports", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Imports provides an ExternalMap of Element identifiers that are used within a document\nbut defined external to that document.", - "rdfs:domain": { - "@id": "core:SpdxDocument" - }, - "rdfs:range": { - "@id": "core:ExternalMap" - } - }, - { - "@id": "core:identifier", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An identifier uniquely identifies an external element.", - "rdfs:domain": { - "@id": "core:ExternalIdentifier" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/dependsOn", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:ProfileIdentifierType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/build" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/usage" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/extension" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/software" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/dataset" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/ai" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/core" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/security" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/expandedLicensing" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/simpleLicensing" - } - ] - }, - "rdfs:comment": "There are a set of profiles that have been defined by a profile team.\nA profile consists of a namespace that may add properties and classes to the core profile unique to the domain covered by the profile.\nThe profile may also contain additional restrictions on existing properties and classes defined in other profiles.\nIf the creator of an SPDX collection of elements includes a profile in the list of conformanceProfiles, they are claiming that all contained elements conform to all restrictions defined for that profile." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/qualityAssessmentReport", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/certificationReport", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/timestamp", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "build:buildType", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A buildType is a URI expressing the toolchain, platform, or infrastructure that the build was invoked on. For example, if the build was invoked on GitHub's CI platform using github actions, the buildType can be expressed as `https://github.com/actions`. In contrast, if the build was invoked on a local machine, the buildType can be expressed as `file://username@host/path/to/build`.", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/model", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/funding", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "expandedlicensing:licenseId", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A licenseId contains a human-readable, short-form license identifier for a\nLicense. It may only include letters, numbers, period (\".\") and hyphen (\"-\")\ncharacters.\n\nFor a ListedLicense, the licenseId will be as specified on the\n[SPDX License List](https://spdx.org/licenses) for the particular license.\n\nFor a CustomLicense, the short-form license identifier must begin with the\nprefix `LicenseRef-` and must be unique within the applicable SPDX namespace.\nThe short-form license ID may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/query", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetAvailabilityType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType/red", - "@type": [ - "owl:NamedIndividual", - "dataset:ConfidentialityLevelType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/test", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/AI/SafetyRiskAssessmentType/medium", - "@type": [ - "owl:NamedIndividual", - "ai:SafetyRiskAssessmentType" - ] - }, - { - "@id": "security:decisionType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A decisionType is a mandatory value and must select one of the four entries in the `SsvcDecisionType.md` vocabulary.", - "rdfs:domain": { - "@id": "security:SsvcVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "security:SsvcDecisionType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/audio", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/test", - "@type": [ - "owl:NamedIndividual", - "core:LifecycleScopeType" - ] - }, - { - "@id": "build:configSourceUri", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "If a build configuration exists for the toolchain or platform performing the build, the configSourceUri of a build is the URI of that build configuration. For example, a build triggered by a GitHub action is defined by a build configuration YAML file. In this case, the configSourceUri is the URL of that YAML file. \nm", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/configures", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha3_512", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/evidence", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "security:VexNotAffectedVulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "VexNotAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements designating them as products not affected by the vulnerability.\nThis relationship corresponds to the VEX not_affected status.\n\n**Constraints**\n\nWhen linking elements using a VexNotVulnAffectedAssessmentRelationship, the\nfollowing requirements must be observed:\n\n* Relating elements with a VexNotAffectedVulnAssessmentRelationship is restricted\nto the doesNotAffect relationship type.\n* The from: end of the relationship must be a /Security/Vulnerability classed\nelement.\n* Both impactStatement and justificationType properties have a cardinality of\n0..1 making them optional. Nevertheless, to produce a valid VEX not_affected\nstatement, one of them MUST be defined. This is specified in the Minimum Elements\nfor VEX.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexNotAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-not-affected-1\",\n \"relationshipType\": \"doesNotAffect\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"justificationType\": \"componentNotPresent\",\n \"impactStatement\": \"Not using this vulnerable part of this library.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VexVulnAssessmentRelationship" - }, - "sh:property": [ - { - "@id": "_:Nd2f6d5def34c4b58a08e7e62ef53b78f" - }, - { - "@id": "_:Nefba5969564c493fa2bf87a9ed076dc3" - }, - { - "@id": "_:Ndc9fe2ef76664f02a56c303d7a213505" - } - ] - }, - { - "@id": "_:Nd2f6d5def34c4b58a08e7e62ef53b78f", - "sh:class": { - "@id": "security:VexJustificationType" - }, - "sh:maxCount": 1, - "sh:name": "justificationType", - "sh:path": { - "@id": "security:justificationType" - } - }, - { - "@id": "_:Nefba5969564c493fa2bf87a9ed076dc3", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "impactStatement", - "sh:path": { - "@id": "security:impactStatement" - } - }, - { - "@id": "_:Ndc9fe2ef76664f02a56c303d7a213505", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "impactStatementTime", - "sh:path": { - "@id": "security:impactStatementTime" - } - }, - { - "@id": "software:sbomType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field is a reasonable estimation of the type of SBOM created from a creator perspective.\nIt is intended to be used to give guidance on the elements that may be contained within it.\nAligning with the guidance produced in [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf).", - "rdfs:domain": { - "@id": "software:Sbom" - }, - "rdfs:range": { - "@id": "software:SbomType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha224", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "expandedlicensing:License", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A License represents a license text, whether listed on the SPDX License List\n(ListedLicense) or defined by an SPDX data creator (CustomLicense).", - "rdfs:subClassOf": { - "@id": "expandedlicensing:ExtendableLicense" - }, - "sh:property": [ - { - "@id": "_:N5c58c484c4ad42dba3391897f42d052c" - }, - { - "@id": "_:N7f84cd6221b548acbfd95a13a4192991" - }, - { - "@id": "_:N565573b2dacb4038b4ae829c54a286f2" - }, - { - "@id": "_:N8e144f9103964ff6b15a1293d9368fdc" - }, - { - "@id": "_:Ne4bc5c44380049668f49b47681e7ab20" - }, - { - "@id": "_:N36753ac74e73416bb6a7ee35d85461d9" - }, - { - "@id": "_:Nd09236bb2d2a42a4b0a36040f2250916" - }, - { - "@id": "_:N32f46b9b69ec42c984f849e880669079" - }, - { - "@id": "_:Naf899340650d47f08ef89c078da8d420" - } - ] - }, - { - "@id": "_:N5c58c484c4ad42dba3391897f42d052c", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "/SimpleLicensing/licenseText", - "sh:path": { - "@id": "simplelicensing:licenseText" - } - }, - { - "@id": "_:N7f84cd6221b548acbfd95a13a4192991", - "sh:datatype": { - "@id": "xsd:boolean" - }, - "sh:maxCount": 1, - "sh:name": "isOsiApproved", - "sh:path": { - "@id": "expandedlicensing:isOsiApproved" - } - }, - { - "@id": "_:N565573b2dacb4038b4ae829c54a286f2", - "sh:datatype": { - "@id": "xsd:boolean" - }, - "sh:maxCount": 1, - "sh:name": "isFsfLibre", - "sh:path": { - "@id": "expandedlicensing:isFsfLibre" - } - }, - { - "@id": "_:N8e144f9103964ff6b15a1293d9368fdc", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "standardLicenseHeader", - "sh:path": { - "@id": "expandedlicensing:standardLicenseHeader" - } - }, - { - "@id": "_:Ne4bc5c44380049668f49b47681e7ab20", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "standardLicenseTemplate", - "sh:path": { - "@id": "expandedlicensing:standardLicenseTemplate" - } - }, - { - "@id": "_:N36753ac74e73416bb6a7ee35d85461d9", - "sh:datatype": { - "@id": "xsd:boolean" - }, - "sh:maxCount": 1, - "sh:name": "isDeprecatedLicenseId", - "sh:path": { - "@id": "expandedlicensing:isDeprecatedLicenseId" - } - }, - { - "@id": "_:Nd09236bb2d2a42a4b0a36040f2250916", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "obsoletedBy", - "sh:path": { - "@id": "expandedlicensing:obsoletedBy" - } - }, - { - "@id": "_:N32f46b9b69ec42c984f849e880669079", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "licenseXml", - "sh:path": { - "@id": "expandedlicensing:licenseXml" - } - }, - { - "@id": "_:Naf899340650d47f08ef89c078da8d420", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:name": "seeAlso", - "sh:path": { - "@id": "expandedlicensing:seeAlso" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/urlScheme", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "expandedlicensing:isDeprecatedAdditionId", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The isDeprecatedAdditionId property specifies whether an identifier for a\nLicenseAddition has been marked as deprecated. If the property is not defined,\nthen it is presumed to be false (i.e., not deprecated).\n\nIf the LicenseAddition is included on the SPDX Exceptions List, then\nthe `deprecatedVersion` property indicates on which version release of the\nExceptions List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license addition. In other words, even if a\nLicenseAddition's author or steward has stated that a particular\nLicenseAddition generally should not be used, that would _not_ mean that the\nLicenseAddition's identifier is \"deprecated.\" Rather, a LicenseAddition\noperator is typically marked as \"deprecated\" when it is determined that use of\nanother identifier is preferable.", - "rdfs:domain": { - "@id": "expandedlicensing:LicenseAddition" - }, - "rdfs:range": { - "@id": "xsd:boolean" - } - }, - { - "@id": "core:comment", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A comment is an optional field for creators of the Element to provide comments\nto the readers/reviewers of the document.", - "rdfs:range": { - "@id": "xsd:string" - }, - "sh:or": { - "@list": [ - { - "@id": "_:Nab0df065e38c4d07b902f0b7691509e0" - } - ] - } - }, - { - "@id": "_:Nab0df065e38c4d07b902f0b7691509e0", - "rdfs:domain": [ - { - "@id": "core:ExternalRef" - }, - { - "@id": "core:ExternalIdentifier" - }, - { - "@id": "core:CreationInfo" - }, - { - "@id": "core:Element" - }, - { - "@id": "core:IntegrityMethod" - } - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasMetadata", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/other", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/doesNotAffect", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/manifest", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "core:locator", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A locator provides the location of an external reference.", - "rdfs:domain": { - "@id": "core:ExternalRef" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/other", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:builtTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A builtTime specifies the time an artifact was built.", - "rdfs:domain": { - "@id": "core:Artifact" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/PresenceType/yes", - "@type": [ - "owl:NamedIndividual", - "core:PresenceType" - ] - }, - { - "@id": "core:from", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field references the Element on the left-hand side of a relationship.", - "rdfs:domain": { - "@id": "core:Relationship" - }, - "rdfs:range": { - "@id": "core:Element" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/coordinatedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "software:additionalPurpose", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Additional purpose provides information about the additional purposes of the software artifact in addition to the primaryPurpose.", - "rdfs:domain": { - "@id": "software:SoftwareArtifact" - }, - "rdfs:range": { - "@id": "software:SoftwarePurpose" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/securityOther", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "security:withdrawnTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Specified the time and date when a vulnerability was withdrawn.", - "rdfs:range": { - "@id": "core:DateTime" - }, - "sh:or": { - "@list": [ - { - "@id": "_:Nc09dae8d5e2f4d839005609a49efb165" - } - ] - } - }, - { - "@id": "_:Nc09dae8d5e2f4d839005609a49efb165", - "rdfs:domain": [ - { - "@id": "security:VulnAssessmentRelationship" - }, - { - "@id": "security:Vulnerability" - } - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/mavenCentral", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipCompleteness/incomplete", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipCompleteness" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/documentation", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/extension", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/usage", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "security:modifiedTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Specifies a time when a vulnerability assessment was last modified.", - "rdfs:range": { - "@id": "core:DateTime" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N277aed7922f04a4aa0a73eeb95288d88" - } - ] - } - }, - { - "@id": "_:N277aed7922f04a4aa0a73eeb95288d88", - "rdfs:domain": [ - { - "@id": "security:VulnAssessmentRelationship" - }, - { - "@id": "security:Vulnerability" - } - ] - }, - { - "@id": "software:Sbom", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A Software Bill of Materials (SBOM) is a collection of SPDX Elements describing a single package.\nThis could include details of the content and composition of the product,\nprovenance details of the product and/or\nits composition, licensing information, known quality or security issues, etc.", - "rdfs:subClassOf": { - "@id": "core:Bom" - }, - "sh:property": { - "@id": "_:Nfa8795ba699b441589d23f939a68eb49" - } - }, - { - "@id": "_:Nfa8795ba699b441589d23f939a68eb49", - "sh:class": { - "@id": "software:SbomType" - }, - "sh:name": "sbomType", - "sh:path": { - "@id": "software:sbomType" - } - }, - { - "@id": "software:contentIdentifier", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The contentIdentifier provides a canonical, unique, immutable artifact identifier for each software artifact. SPDX 3.0 describes software artifacts as Snippet, File, or Package Elements. The ContentIdentifier can be calculated for any software artifact and can be recorded for any of these SPDX 3.0 Elements using Omnibor, an attempt to standardize how software artifacts are identified independent of which programming language, version control system, build tool, package manager, or software distribution mechanism is in use. \n\nThe contentIdentifier is defined as the [Git Object Identifier](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects) (gitoid) of type `blob` of the software artifact. The use of a git-based version control system is not necessary to calculate a contentIdentifier for any software artifact.\n\nThe gitoid is expressed in the ContentIdentifier property by using the IANA [gitoid URI scheme](https://www.iana.org/assignments/uri-schemes/prov/gitoid).\n\n```\nScheme syntax: gitoid\":\"\":\"\":\"\n```\n\nThe OmniBOR ID for the OmniBOR Document associated with a software artifact should not be recorded in this field. Rather, OmniBOR IDs should be recorded in the SPDX Element's ExternalIdentifier property. See [https://omnibor.io](https://omnibor.io) for more details.", - "rdfs:domain": { - "@id": "software:SoftwareArtifact" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "ai:informationAboutTraining", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "InformationAboutTraining describes the specific steps involved in the training of the AI model.\nFor example, it can be specified whether supervised fine-tuning \nor active learning is used as part of training the model.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:namespace", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A namespace provides an unambiguous mechanism for conveying a URI fragment portion of an ElementID.", - "rdfs:domain": { - "@id": "core:NamespaceMap" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "core:AnnotationType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/AnnotationType/other" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/AnnotationType/review" - } - ] - }, - "rdfs:comment": "AnnotationType specifies the type of an annotation." - }, - { - "@id": "security:percentile", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The percentile between 0 and 1 (0 and 100%) of the current probability score, the proportion of all scored vulnerabilities with the same or a lower EPSS score. [https://www.first.org/epss/data_stats](https://www.first.org/epss/data_stats)", - "rdfs:domain": { - "@id": "security:EpssVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "xsd:decimal" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/md2", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/numeric", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "security:impactStatement", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "When a VEX product element is related with a VexNotAffectedVulnAssessmentRelationship\nand a machine readable justification label is not provided, then an impactStatement\nthat further explains how or why the prouct(s) are not affected by the vulnerability\nmust be provided.", - "rdfs:domain": { - "@id": "security:VexNotAffectedVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/crystalsDilithium", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/scrapingScript", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetAvailabilityType" - ] - }, - { - "@id": "dataset:datasetType", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Type describes the datatype contained in the dataset. For example a dataset can be an image dataset for computer vision applications, a text dataset such as the contents of a book or Wikipedia article, or sometimes a multimodal dataset that contains multiple types of data.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "dataset:DatasetType" - } - }, - { - "@id": "core:originatedBy", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "OriginatedBy identifies from where or whom the Element originally came.", - "rdfs:domain": { - "@id": "core:Artifact" - }, - "rdfs:range": { - "@id": "core:Agent" - } - }, - { - "@id": "core:ExternalRef", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An External Reference points to a resource outside the scope of the SPDX-3.0 content\nthat provides additional characteristics of an Element.", - "rdfs:subClassOf": { - "@id": "owl:Thing" - }, - "sh:property": [ - { - "@id": "_:N47daadb4abba4ad5a1454634b820e094" - }, - { - "@id": "_:N9471e33ce2e646e68724109d01709c21" - }, - { - "@id": "_:Nb33a75a67a604960a4aeecb5a4939cbe" - }, - { - "@id": "_:N7001a8dde6d64575afe66db6a86d2b88" - } - ] - }, - { - "@id": "_:N47daadb4abba4ad5a1454634b820e094", - "sh:class": { - "@id": "core:ExternalRefType" - }, - "sh:maxCount": 1, - "sh:name": "externalRefType", - "sh:path": { - "@id": "core:externalRefType" - } - }, - { - "@id": "_:N9471e33ce2e646e68724109d01709c21", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "locator", - "sh:path": { - "@id": "core:locator" - } - }, - { - "@id": "_:Nb33a75a67a604960a4aeecb5a4939cbe", - "sh:datatype": { - "@id": "core:MediaType" - }, - "sh:maxCount": 1, - "sh:name": "contentType", - "sh:path": { - "@id": "core:contentType" - } - }, - { - "@id": "_:N7001a8dde6d64575afe66db6a86d2b88", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "comment", - "sh:path": { - "@id": "core:comment" - } - }, - { - "@id": "simplelicensing:customIdToUri", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Within a License Expression, references can be made to a Custom License or a Custom License Addition.\nThe License Expression syntax dictates any refence starting with a \"LicenseRef-\" or \"AdditionRef-\" refers to license or addition text not found in the SPDX list of licenses.\nThese custom licenses must be a CustomLicense, a CustomLicenseAddtion, or a SimpleLicensingText which are identified with a unique URI identifier.\nThe key for the DictionaryEntry is the string used in the license expression and the value is the URI for the corrosponding CustomLicense, CustomLicenseAddition, or SimpleLicensingText.", - "rdfs:domain": { - "@id": "simplelicensing:LicenseExpression" - }, - "rdfs:range": { - "@id": "core:DictionaryEntry" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/PresenceType/noAssertion", - "@type": [ - "owl:NamedIndividual", - "core:PresenceType" - ] - }, - { - "@id": "security:VexVulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "VexVulnAssessmentRelationship is an abstract subclass that defined the common\nproperties shared by all the SPDX-VEX status relationships. \n\n**Constraints**\n\nWhen linking elements using a VexVulnAssessmentRelationship, the following\nrequirements must be observed:\n\n- The from: end must be a /Security/Vulnerability classed element\n- The to: end must point to elements representing the VEX _products_. To\nspecify a different element where the vulnerability was detected, the VEX\nrelationship can optionally specify _subcomponents_ using the assessedElement\nproperty.\n\nVEX inherits information from the document level down to its statements. When a\nstatement is missing information it can be completed by reading the equivalent \nfield from the containing document. For example, if a VEX relationship is\nmissing data in its createdBy property, tools must consider the entity\nlisted in the CreationInfo section of the document as the VEX author.\nIn the same way, when a VEX relationship does not have a created property,\nthe document's date must be considered as authoritative.", - "rdfs:subClassOf": { - "@id": "security:VulnAssessmentRelationship" - }, - "sh:property": [ - { - "@id": "_:Na66da69a0e1847d0a6e1afe9a5ff64aa" - }, - { - "@id": "_:N70c5dcfa70fa468187681420b14191eb" - } - ] - }, - { - "@id": "_:Na66da69a0e1847d0a6e1afe9a5ff64aa", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "vexVersion", - "sh:path": { - "@id": "security:vexVersion" - } - }, - { - "@id": "_:N70c5dcfa70fa468187681420b14191eb", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "statusNotes", - "sh:path": { - "@id": "security:statusNotes" - } - }, - { - "@id": "core:NamespaceMap", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A namespace map allows the creator of a collection of Elements that could be serialized to suggest \na set of shorter identifiers (\"prefixes\") for particular namespace portions \nof ElementIDs to be used in SPDX content serialization in order to provide a more\nhuman-readable and smaller serialized representation of the Elements.\n\nFor details of how NamespaceMap content is to be serialized please refer to general SPDX serialization guidance at https://spdx.github.io/spdx-3-model/serialization/readme.md and the various serialization format specific .md filed under https://spdx.github.io/spdx-3-model/serialization/ (TODO: update the URLs as soon as the context is publicly available)\n\nNamespace maps support a variety of relevant use cases such as:\n\n<<<<<<< HEAD\n1) An SPDX content producer wishing to provide clarity of their serialization of an SPDX 2.X simple style collection where all content is newly minted and a single prefix-namespace is used. The consumer of SPDX content wishes to preserve the name space mapping provided by such a producer. In this case, the consumer would record the namespace map prefixes in the NamespaceMap such that subsequent serializations could reproduce the prefixes / namespaces in the native serialization format.\n2) An SPDX content producer wishing to maintain consistent prefix use and understanding across multiple different serialization formats of the produced content.\n For example, an SBOM producer wishes to share/publish the SBOM as JSON-LD and XML. The producer can specify the preferred prefix mappings in the native serialization format using information from a single Namespacemap accessible local to the producer.\n3) An SPDX content consumer/producer wishing to maintain consistent prefix use while round tripping from SPDX content received, deserialized, modified/extended in some way, and then reserialized in the same serialization form.\n In this case the prefix-namespace mappings utilized in the content are transformed from the original native namespace/prefix into the in memory NamespaceMap then transformed from the NamespaceMap back into the resultant serialization native namespace / prefix format.", - "sh:property": [ - { - "@id": "_:Nd3c23004a20442d0b980d3227b137dad" - }, - { - "@id": "_:Nf78a1fd44fe9479cb8d815dbda9201ff" - } - ] - }, - { - "@id": "_:Nd3c23004a20442d0b980d3227b137dad", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "prefix", - "sh:path": { - "@id": "core:prefix" - } - }, - { - "@id": "_:Nf78a1fd44fe9479cb8d815dbda9201ff", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "namespace", - "sh:path": { - "@id": "core:namespace" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/other", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/underInvestigationFor", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "security:VexAffectedVulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "VexAffectedVulnAssessmentRelationship connects a vulnerability and a number\nof elements. The relationship marks these elements as products affected by the\nvulnerability. This relationship corresponds to the VEX affected status.\n\n**Constraints**\n\nWhen linking elements using a VexAffectedVulnAssessmentRelationship, the\nfollowing requirements must be observed:\n\n- Elements linked with a VulnVexAffectedAssessmentRelationship are constrained\nto the affects relationship type.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"VexAffectedVulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:vex-affected-1\",\n \"relationshipType\": \"affects\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"actionStatement\": \"Upgrade to version 1.4 of ACME application.\",\n \"suppliedBy\": [\"urn:spdx.dev:agent-jane-doe\"],\n \"publishedTime\": \"2021-03-09T11:04:53Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VexVulnAssessmentRelationship" - }, - "sh:property": [ - { - "@id": "_:Ndb3f13a7618e493ba68fa6968e41ff4e" - }, - { - "@id": "_:Nfe9f99b432b54e10aa7163ae7ef034c3" - } - ] - }, - { - "@id": "_:Ndb3f13a7618e493ba68fa6968e41ff4e", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "actionStatement", - "sh:path": { - "@id": "security:actionStatement" - } - }, - { - "@id": "_:Nfe9f99b432b54e10aa7163ae7ef034c3", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:name": "actionStatementTime", - "sh:path": { - "@id": "security:actionStatementTime" - } - }, - { - "@id": "software:Snippet", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A Snippet describes a certain part of a file and can be used when the file is known to have some content\nthat has been included from another original source. Snippets are useful for denoting when part of a file\nmay have been originally created under another license or copied from a place with a known vulnerability.", - "rdfs:subClassOf": { - "@id": "software:SoftwareArtifact" - }, - "sh:property": [ - { - "@id": "_:Nf4f0b71932a64f54b0c8ad7d614dcb2f" - }, - { - "@id": "_:N7f854de6fd2d4b5dbcf2bdc79674111f" - }, - { - "@id": "_:N8ecb0dadefa840d79f58a1a6b3af3e99" - } - ] - }, - { - "@id": "_:Nf4f0b71932a64f54b0c8ad7d614dcb2f", - "sh:class": { - "@id": "core:PositiveIntegerRange" - }, - "sh:maxCount": 1, - "sh:name": "byteRange", - "sh:path": { - "@id": "software:byteRange" - } - }, - { - "@id": "_:N7f854de6fd2d4b5dbcf2bdc79674111f", - "sh:class": { - "@id": "core:PositiveIntegerRange" - }, - "sh:maxCount": 1, - "sh:name": "lineRange", - "sh:path": { - "@id": "software:lineRange" - } - }, - { - "@id": "_:N8ecb0dadefa840d79f58a1a6b3af3e99", - "sh:class": { - "@id": "software:File" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "snippetFromFile", - "sh:path": { - "@id": "software:snippetFromFile" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/specification", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/npm", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "security:impactStatementTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "TODO", - "rdfs:domain": { - "@id": "security:VexNotAffectedVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/noAssertion", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/build", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/patchedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "expandedlicensing:isFsfLibre", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "isFsfLibre specifies whether the [Free Software Foundation FSF](https://fsf.org)\nhas listed this License as \"free\" in their commentary on licenses, located at\nthe time of this writing at https://www.gnu.org/licenses/license-list.en.html.\n\nA value of \"true\" indicates that the license is in the list of licenses that FSF publishes as libre.\n\nA value of \"false\" indicates that the license is explicitly not in the corresponding list of FSF libre licenses (e.g., FSF has the license on a non-free list).\n\nIf the isFsfLibre field is not specified, the SPDX data creator makes no\nassertions about whether the License is listed in the FSF's commentary.", - "rdfs:domain": { - "@id": "expandedlicensing:License" - }, - "rdfs:range": { - "@id": "xsd:boolean" - } - }, - { - "@id": "expandedlicensing:additionId", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An additionId contains a human-readable, short-form identifier for a\nLicenseAddition. It may only include letters, numbers, period (\".\") and\nhyphen (\"-\") characters.\n\nFor a ListedLicenseException, the licenseId will be as specified on the\n[SPDX Exceptions List](https://spdx.org/licenses/exceptions-index.html) for the\nparticular exception.\n\nFor a CustomLicenseAddition, the short-form identifier must begin with the\nprefix `AdditionRef-` and must be unique within the applicable SPDX namespace.\nThe short-form identifier may be preceded by an SPDX namespace or a\nfully-qualified URI prefix.", - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "dataset:datasetAvailability", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Some datasets are publicly available and can be downloaded directly. Others are only accessible behind a clickthrough, or after filling a registration form. This field will describe the dataset availability from that perspective.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "dataset:DatasetAvailabilityType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/componentAnalysisReport", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "security:catalogType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A catalogType is a mandatory value and must select one of the two entries in the `ExploitCatalogType.md` vocabulary.", - "rdfs:domain": { - "@id": "security:ExploitCatalogVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "security:ExploitCatalogType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/support", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:created", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Created is a date that identifies when the Element was originally created.\nThe time stamp can serve as an indication as to whether the analysis needs to be updated. This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.", - "rdfs:domain": { - "@id": "core:CreationInfo" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "simplelicensing:LicenseExpression", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "Often a single license can be used to represent the licensing terms of a source code or binary file, but there are situations where a single license identifier is not sufficient. A common example is when software is offered under a choice of one or more licenses (e.g., GPL-2.0-only OR BSD-3-Clause). Another example is when a set of licenses is needed to represent a binary program constructed by compiling and linking two (or more) different source files each governed by different licenses (e.g., LGPL-2.1-only AND BSD-3-Clause).\n\nSPDX License Expressions provide a way for one to construct expressions that more accurately represent the licensing terms typically found in open source software source code. A license expression could be a single license identifier found on the SPDX License List; a user defined license reference denoted by the LicenseRef-idString; a license identifier combined with an SPDX exception; or some combination of license identifiers, license references and exceptions constructed using a small set of defined operators (e.g., AND, OR, WITH and +). We provide the definition of what constitutes a valid an SPDX License Expression in this section.", - "rdfs:subClassOf": { - "@id": "simplelicensing:AnyLicenseInfo" - }, - "sh:property": [ - { - "@id": "_:N601a95259e3148bf910abe8a79fac727" - }, - { - "@id": "_:N04048fd78a1141b98e72ac1de17a312f" - }, - { - "@id": "_:N733fb026a24245e8b9186476a12efa1d" - } - ] - }, - { - "@id": "_:N601a95259e3148bf910abe8a79fac727", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "licenseExpression", - "sh:path": { - "@id": "simplelicensing:licenseExpression" - } - }, - { - "@id": "_:N04048fd78a1141b98e72ac1de17a312f", - "sh:datatype": { - "@id": "core:SemVer" - }, - "sh:maxCount": 1, - "sh:name": "licenseListVersion", - "sh:path": { - "@id": "simplelicensing:licenseListVersion" - } - }, - { - "@id": "_:N733fb026a24245e8b9186476a12efa1d", - "sh:class": { - "@id": "core:DictionaryEntry" - }, - "sh:name": "customIdToUri", - "sh:path": { - "@id": "simplelicensing:customIdToUri" - } - }, - { - "@id": "core:HashAlgorithm", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha3_512" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/md2" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/blake2b256" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/md6" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/crystalsDilithium" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha224" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/blake2b512" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha3_256" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha384" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/md5" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha512" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/md4" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha1" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/crystalsKyber" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha3_384" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/blake3" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/falcon" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sphincsPlus" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha3_224" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/other" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/sha256" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/spdxPvcSha256" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/blake2b384" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/spdxPvcSha1" - } - ] - }, - "rdfs:comment": "A HashAlgorithm is a mathematical algorithm that maps data of arbitrary size to a bit string (the hash)\nand is a one-way function, that is, a function which is practically infeasible to invert." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/copiedTo", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "ai:metric", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Metric records the measurement with which the AI model was evaluated. \nThis makes statements about the prediction quality including uncertainty,\naccuracy, characteristics of the tested population, quality, fairness, explainability, robustness etc.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "core:DictionaryEntry" - } - }, - { - "@id": "expandedlicensing:obsoletedBy", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An obsoletedBy value for a deprecated License or LicenseAddition specifies\nthe licenseId of the replacement License or LicenseAddition that is preferred\nto be used in its place. It should use the same format as specified for a\nlicenseId.\n\nThe License's or LicenseAddition's comment value may include more information\nabout the reason why the licenseId specified in the obsoletedBy value is\npreferred.", - "rdfs:range": { - "@id": "xsd:string" - }, - "sh:or": { - "@list": [ - { - "@id": "_:Ned21e0a941b241e483a5799797308799" - } - ] - } - }, - { - "@id": "_:Ned21e0a941b241e483a5799797308799", - "rdfs:domain": [ - { - "@id": "expandedlicensing:LicenseAddition" - }, - { - "@id": "expandedlicensing:License" - } - ] - }, - { - "@id": "expandedlicensing:listVersionAdded", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A listVersionAdded for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was included.", - "rdfs:range": { - "@id": "xsd:string" - }, - "sh:or": { - "@list": [ - { - "@id": "_:Na03ddb753ced428990a6fc48bf1e4daf" - } - ] - } - }, - { - "@id": "_:Na03ddb753ced428990a6fc48bf1e4daf", - "rdfs:domain": [ - { - "@id": "expandedlicensing:ListedLicense" - }, - { - "@id": "expandedlicensing:ListedLicenseException" - } - ] - }, - { - "@id": "expandedlicensing:licenseXml", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The license XML format is defined and used by the SPDX legal team.\nSee the XML fields defined at https://github.com/spdx/license-list-XML/blob/main/DOCS/xml-fields.md for a text description.\nThere is also an XML schema available at https://github.com/spdx/license-list-XML/blob/main/schema/ListedLicense.xsd.", - "rdfs:range": { - "@id": "xsd:string" - }, - "sh:or": { - "@list": [ - { - "@id": "_:Nd2b47311fba041a7b7b0fa248919ba91" - } - ] - } - }, - { - "@id": "_:Nd2b47311fba041a7b7b0fa248919ba91", - "rdfs:domain": [ - { - "@id": "expandedlicensing:LicenseAddition" - }, - { - "@id": "expandedlicensing:License" - } - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/AnnotationType/other", - "@type": [ - "owl:NamedIndividual", - "core:AnnotationType" - ] - }, - { - "@id": "security:vectorString", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Specifies any combination of the CVSS Base, Temporal, Threat, Environmental, and/or Supplemental vector string values for a vulnerability. Supports vectorStrings specified in all CVSS versions.\n\n**Constraints**\n\nString values for the vectorString range must only include the abbreviated form of metric names specified in CVSS specifications, e.g. [https://www.first.org/cvss/v4.0/specification-document#Vector-String](https://www.first.org/cvss/v4.0/specification-document#Vector-String)", - "rdfs:range": { - "@id": "xsd:string" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N416239e10a474d589d24cf16c750f842" - } - ] - } - }, - { - "@id": "_:N416239e10a474d589d24cf16c750f842", - "rdfs:domain": [ - { - "@id": "security:CvssV2VulnAssessmentRelationship" - }, - { - "@id": "security:CvssV4VulnAssessmentRelationship" - }, - { - "@id": "security:CvssV3VulnAssessmentRelationship" - } - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasEvidence", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "dataset:datasetSize", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "DatasetSize Captures how large a dataset is.\nThe size is to be measured in bytes.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "xsd:nonNegativeInteger" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/packageUrl", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "software:SoftwarePurpose", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/evidence" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/executable" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/patch" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/configuration" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/platform" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/install" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/framework" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/application" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/data" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/deviceDriver" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/library" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/device" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/manifest" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/file" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/requirement" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/source" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/operatingSystem" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/other" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/bom" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/module" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/specification" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/model" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/diskImage" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/documentation" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/archive" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/firmware" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/container" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/filesystemImage" - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/test" - } - ] - }, - "rdfs:comment": "This field provides information about the primary purpose of an Element.\nSoftware Purpose is intrinsic to how the Element is being used rather than the content of the Element.\nThis field is a reasonable estimate of the most likely usage of the Element\nfrom the producer and consumer perspective from which both parties can draw conclusions\nabout the context in which the Element exists." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/usesTool", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/software", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "security:score", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The score provides information on the severity of a vulnerability per the\nCommon Vulnerability Scoring System as defined on [https://www.first.org/cvss](https://www.first.org/cvss/).", - "rdfs:range": { - "@id": "xsd:decimal" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N9222ac8a6bdc41f0be4f5280f56b9141" - } - ] - } - }, - { - "@id": "_:N9222ac8a6bdc41f0be4f5280f56b9141", - "rdfs:domain": [ - { - "@id": "security:CvssV2VulnAssessmentRelationship" - }, - { - "@id": "security:CvssV4VulnAssessmentRelationship" - }, - { - "@id": "security:CvssV3VulnAssessmentRelationship" - } - ] - }, - { - "@id": "dataset:ConfidentialityLevelType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType/clear" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType/amber" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType/green" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/ConfidentialityLevelType/red" - } - ] - }, - "rdfs:comment": "Describes the different confidentiality levels as given by the [Traffic Light Protocol](https://en.wikipedia.org/wiki/Traffic_Light_Protocol)." - }, - { - "@id": "https://spdx.org/rdf/v3/Security/VexJustificationType/vulnerableCodeNotInExecutePath", - "@type": [ - "owl:NamedIndividual", - "security:VexJustificationType" - ] - }, - { - "@id": "dataset:DatasetType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/noAssertion" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/syntactic" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/audio" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/graph" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/image" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/video" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/numeric" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/structured" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/sensor" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/text" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/timeseries" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/timestamp" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/other" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/categorical" - } - ] - }, - "rdfs:comment": "Describes the different structures of data within a given dataset. A dataset can have multiple types of data, or even a single type of data but still match multiple types, for example sensor data could also be timeseries or labeled image data could also be considered categorical." - }, - { - "@id": "security:CvssV2VulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A CvssV2VulnAssessmentRelationship relationship describes the determined score and vector of a vulnerability using version 2.0 of the Common Vulnerability Scoring System (CVSS) as defined at [https://www.first.org/cvss/v2/guide](https://www.first.org/cvss/v2/guide). It is intended to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The relationship type must be set to `hasAssessmentFor`.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV2VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"score\": 4.3,\n \"vectorString\": \"(AV:N/AC:M/Au:N/C:P/I:N/A:N)\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalRefs\": [\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:cvssv2-cve-2020-28498\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VulnAssessmentRelationship" - }, - "sh:property": [ - { - "@id": "_:N94bef76b60f945488276874ef684c3a4" - }, - { - "@id": "_:N7210fdb2635b4c16904252059130d554" - } - ] - }, - { - "@id": "_:N94bef76b60f945488276874ef684c3a4", - "sh:datatype": { - "@id": "xsd:decimal" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "score", - "sh:path": { - "@id": "security:score" - } - }, - { - "@id": "_:N7210fdb2635b4c16904252059130d554", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "vectorString", - "sh:path": { - "@id": "security:vectorString" - } - }, - { - "@id": "core:begin", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "begin is a positive integer that defines the beginning of a range.", - "rdfs:domain": { - "@id": "core:PositiveIntegerRange" - }, - "rdfs:range": { - "@id": "xsd:positiveInteger" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/mailingList", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/binaryArtifact", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/vulnerabilityExploitabilityAssessment", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/swhid", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "core:startTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A startTime specifies the time from which element is applicable / valid.", - "rdfs:domain": { - "@id": "core:Relationship" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "software:packageUrl", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A packageUrl (commonly pronounced and referred to as \"purl\") is an attempt to standardize package representations in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.\n\nthe purl URL string is defined by seven components:\n```\nscheme:type/namespace/name@version?qualifiers#subpath\n```\n\nThe definition for each component can be found in the [purl specification](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst). Components are designed such that they form a hierarchy from the most significant on the left to the least significant components on the right. \n\nParsing a purl string into its components works from left to right. Some extra type-specific normalizations are required. For more information, see [How to parse a purl string in its components](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#how-to-parse-a-purl-string-in-its-components).", - "rdfs:domain": { - "@id": "software:Package" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "ai:energyConsumption", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "EnergyConsumption captures the amount of energy needed to train and operate the AI model. \nThis value is also known as training energy consumption or inference energy consumption.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "software:SoftwareArtifact", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A software artifact is a distinct article or unit related to software\nsuch as a package, a file, or a snippet.", - "rdfs:subClassOf": { - "@id": "core:Artifact" - }, - "sh:property": [ - { - "@id": "_:N040500a47529433c832301ae4c42330b" - }, - { - "@id": "_:N9f6279cdfba04861a1f15940f8e24d46" - }, - { - "@id": "_:N9db9cda2723144d799fe37ba62dc5979" - }, - { - "@id": "_:N56ddc8e46f2c4231ad56be9295263890" - }, - { - "@id": "_:N375255b37e0247be80778ce0533305c1" - } - ] - }, - { - "@id": "_:N040500a47529433c832301ae4c42330b", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:name": "contentIdentifier", - "sh:path": { - "@id": "software:contentIdentifier" - } - }, - { - "@id": "_:N9f6279cdfba04861a1f15940f8e24d46", - "sh:class": { - "@id": "software:SoftwarePurpose" - }, - "sh:maxCount": 1, - "sh:name": "primaryPurpose", - "sh:path": { - "@id": "software:primaryPurpose" - } - }, - { - "@id": "_:N9db9cda2723144d799fe37ba62dc5979", - "sh:class": { - "@id": "software:SoftwarePurpose" - }, - "sh:name": "additionalPurpose", - "sh:path": { - "@id": "software:additionalPurpose" - } - }, - { - "@id": "_:N56ddc8e46f2c4231ad56be9295263890", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "copyrightText", - "sh:path": { - "@id": "software:copyrightText" - } - }, - { - "@id": "_:N375255b37e0247be80778ce0533305c1", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "attributionText", - "sh:path": { - "@id": "software:attributionText" - } - }, - { - "@id": "security:exploited", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field is set when a CVE is listed in an exploit catalog.", - "rdfs:domain": { - "@id": "security:ExploitCatalogVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "xsd:boolean" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/video", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/productMetadata", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:identifierLocator", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A identifierLocator is TODO", - "rdfs:domain": { - "@id": "core:ExternalIdentifier" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/expandedLicensing", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "dataset:sensor", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Sensor describes a sensor that was used for collecting the data\nand its calibration value as a key-value pair.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "core:DictionaryEntry" - } - }, - { - "@id": "core:externalSpdxId", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "ExternalSpdxId identifies an external Element used within a Document but defined external to that Document.", - "rdfs:domain": { - "@id": "core:ExternalMap" - }, - "rdfs:range": { - "@id": "xsd:anyURI" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/packagedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/data", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "software:Package", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A package refers to any unit of content that can be associated with a distribution of software.\nTypically, a package is composed of one or more files. \nAny of the following non-limiting examples may be (but are not required to be) represented in SPDX as a package:\n\n - a tarball, zip file or other archive\n - a directory or sub-directory\n - a separately distributed piece of software which another Package or File uses or depends upon (e.g., a Python package, a Go module, ...)\n - a container image, and/or each image layer within a container image\n - a collection of one or more sub-packages\n - a Git repository snapshot from a particular point in time\n\nNote that some of these could be represented in SPDX as a file as well.\nExternal property restriction on /Core/Element/name: minCount: 1", - "rdfs:subClassOf": { - "@id": "software:SoftwareArtifact" - }, - "sh:property": [ - { - "@id": "_:Na8bfbf2ab0c14af0a42f5598de634514" - }, - { - "@id": "_:N381e0af50be8420a96fbf6d650e9469d" - }, - { - "@id": "_:Ndcf48cc73dfd40d6b6ae1229f7c782b7" - }, - { - "@id": "_:N25bd6e6bb56949fb813192d6ce4259ab" - }, - { - "@id": "_:N91bd6493414d463ca6d2ca446d3a9dc4" - } - ] - }, - { - "@id": "_:Na8bfbf2ab0c14af0a42f5598de634514", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "packageVersion", - "sh:path": { - "@id": "software:packageVersion" - } - }, - { - "@id": "_:N381e0af50be8420a96fbf6d650e9469d", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:name": "downloadLocation", - "sh:path": { - "@id": "software:downloadLocation" - } - }, - { - "@id": "_:Ndcf48cc73dfd40d6b6ae1229f7c782b7", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:name": "packageUrl", - "sh:path": { - "@id": "software:packageUrl" - } - }, - { - "@id": "_:N25bd6e6bb56949fb813192d6ce4259ab", - "sh:datatype": { - "@id": "xsd:anyURI" - }, - "sh:maxCount": 1, - "sh:name": "homePage", - "sh:path": { - "@id": "software:homePage" - } - }, - { - "@id": "_:N91bd6493414d463ca6d2ca446d3a9dc4", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "sourceInfo", - "sh:path": { - "@id": "software:sourceInfo" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/descendantOf", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:context", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A context gives information about the circumstances or unifying properties\nthat Elements of the bundle have been assembled under.", - "rdfs:domain": { - "@id": "core:Bundle" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/availableFrom", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "software:File", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "Refers to any object that stores content on a computer.\nThe type of content can optionally be provided in the contentType property.\nExternal property restriction on /Core/Element/name: minCount: 1", - "rdfs:subClassOf": { - "@id": "software:SoftwareArtifact" - }, - "sh:property": { - "@id": "_:N664e822c85b2437a810a504ce608dd8b" - } - }, - { - "@id": "_:N664e822c85b2437a810a504ce608dd8b", - "sh:datatype": { - "@id": "core:MediaType" - }, - "sh:maxCount": 1, - "sh:name": "contentType", - "sh:path": { - "@id": "software:contentType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/device", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "security:SsvcDecisionType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType/trackStar" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType/attend" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType/track" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType/act" - } - ] - }, - "rdfs:comment": "SsvcDecisionType specifies the type of decision that's been made according to the Stakeholder-Specific Vulnerability Categorization (SSVC) system [https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)" - }, - { - "@id": "security:justificationType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "When stating that an element is not affected by a vulnerability, the\nVexNotAffectedVulnAssessmentRelationship must include a justification from the\nmachine-readable labels catalog informing the reason the element is not impacted.\n\nimpactStatement which is a string with English prose can be used instead or as\ncomplementary to the justification label, but one of both MUST be defined.", - "rdfs:domain": { - "@id": "security:VexNotAffectedVulnAssessmentRelationship" - }, - "rdfs:range": { - "@id": "security:VexJustificationType" - } - }, - { - "@id": "security:Vulnerability", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "Specifies a vulnerability and its associated information.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"Vulnerability\",\n \"@id\": \"urn:spdx.dev:vuln-1\",\n \"summary\": \"Use of a Broken or Risky Cryptographic Algorithm\",\n \"description\": \"The npm package `elliptic` before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.\", \n \"modified\": \"2021-03-08T16:02:43Z\",\n \"published\": \"2021-03-08T16:06:50Z\",\n \"externalIdentifiers\": [\n {\n \"@type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"cve\",\n \"identifier\": \"CVE-2020-2849\",\n \"identifierLocator\": [\n \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498\",\n \"https://www.cve.org/CVERecord?id=CVE-2020-28498\"\n ],\n \"issuingAuthority\": \"urn:spdx.dev:agent-cve.org\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"GHSA-r9p9-mrjm-926w\",\n \"identifierLocator\": \"https://github.com/advisories/GHSA-r9p9-mrjm-926w\"\n },\n {\n \"type\": \"ExternalIdentifier\",\n \"externalIdentifierType\": \"securityOther\",\n \"identifier\": \"SNYK-JS-ELLIPTIC-1064899\",\n \"identifierLocator\": \"https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n }\n ],\n \"externalRefs\": [\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityAdvisory\",\n \"locator\": \"https://ubuntu.com/security/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityOther\",\n \"locator\": \"https://github.com/indutny/elliptic/pull/244/commits\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityOther\",\n \"locator\": \"https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md\"\n }\n ]\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnRelationship-1\",\n \"relationshipType\": \"hasAssociatedVulnerability\",\n \"from\": \"urn:npm-elliptic-6.5.2\",\n \"to\": [\"urn:spdx.dev:vuln-1\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\", \n \"relationshipType\": \"publishedBy\", \n \"from\": \"urn:spdx.dev:vuln-1\",\n \"to\": [\"urn:spdx.dev:agent-snyk\"],\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "core:Artifact" - }, - "sh:property": [ - { - "@id": "_:N85d30a94ce5348d992b457bb5a9e04a9" - }, - { - "@id": "_:Ne6954f87e41d4fdd822e0ce53775af6e" - }, - { - "@id": "_:N64fcfcedd7cf4853bfad738e7ccf1de1" - } - ] - }, - { - "@id": "_:N85d30a94ce5348d992b457bb5a9e04a9", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "publishedTime", - "sh:path": { - "@id": "security:publishedTime" - } - }, - { - "@id": "_:Ne6954f87e41d4fdd822e0ce53775af6e", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "modifiedTime", - "sh:path": { - "@id": "security:modifiedTime" - } - }, - { - "@id": "_:N64fcfcedd7cf4853bfad738e7ccf1de1", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "withdrawnTime", - "sh:path": { - "@id": "security:withdrawnTime" - } - }, - { - "@id": "dataset:anonymizationMethodUsed", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "AnonymizationMethodUsed describes the methods used to anonymize the dataset (of fields in the dataset).", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:releaseTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A releaseTime specifies the time an artifact was released.", - "rdfs:domain": { - "@id": "core:Artifact" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/operatingSystem", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/serializedInArtifact", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "core:rootElement", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This property is used to denote the root Element(s) of a tree of elements contained in an SBOM.\nThe tree consists of other elements directly and indirectly related through properties or Relationships from the root.", - "rdfs:domain": { - "@id": "core:ElementCollection" - }, - "rdfs:range": { - "@id": "core:Element" - } - }, - { - "@id": "core:LifecycleScopeType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/test" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/design" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/development" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/build" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/runtime" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/other" - } - ] - }, - "rdfs:comment": "TODO" - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetAvailabilityType/registration", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetAvailabilityType" - ] - }, - { - "@id": "build:configSourceDigest", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "configSourceDigest is the checksum of the build configuration file used by a builder to execute a build. This Property uses the Core model's [Hash](../../Core/Classes/Hash.md) class.", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "core:Hash" - } - }, - { - "@id": "core:Artifact", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An artifact is a distinct article or unit within the digital domain,\nsuch as an electronic file, a software package, a device or an element of data.", - "rdfs:subClassOf": { - "@id": "core:Element" - }, - "sh:property": [ - { - "@id": "_:N669896118c004910a7d5020b5e97d92b" - }, - { - "@id": "_:N48930a3df7794a239be3b037b249720b" - }, - { - "@id": "_:N2613bb1f5ecb46539923bdea0d481ffa" - }, - { - "@id": "_:N9b68289505ba4179880b380579b0e8e1" - }, - { - "@id": "_:N46215df032694af395d5e6942a6c80bf" - }, - { - "@id": "_:N42dfd48f631b484d8987bff8596f7e3f" - } - ] - }, - { - "@id": "_:N669896118c004910a7d5020b5e97d92b", - "sh:class": { - "@id": "core:Agent" - }, - "sh:name": "originatedBy", - "sh:path": { - "@id": "core:originatedBy" - } - }, - { - "@id": "_:N48930a3df7794a239be3b037b249720b", - "sh:class": { - "@id": "core:Agent" - }, - "sh:maxCount": 1, - "sh:name": "suppliedBy", - "sh:path": { - "@id": "core:suppliedBy" - } - }, - { - "@id": "_:N2613bb1f5ecb46539923bdea0d481ffa", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "builtTime", - "sh:path": { - "@id": "core:builtTime" - } - }, - { - "@id": "_:N9b68289505ba4179880b380579b0e8e1", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "releaseTime", - "sh:path": { - "@id": "core:releaseTime" - } - }, - { - "@id": "_:N46215df032694af395d5e6942a6c80bf", - "sh:datatype": { - "@id": "core:DateTime" - }, - "sh:maxCount": 1, - "sh:name": "validUntilTime", - "sh:path": { - "@id": "core:validUntilTime" - } - }, - { - "@id": "_:N42dfd48f631b484d8987bff8596f7e3f", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:name": "standard", - "sh:path": { - "@id": "core:standard" - } - }, - { - "@id": "software:sourceInfo", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "SourceInfo records any relevant background information or additional comments\nabout the origin of the package. For example, this field might include comments \nindicating whether the package was pulled from a source code management system \nor has been repackaged. The creator can provide additional information to describe\nany anomalies or discoveries in the determination of the origin of the package.", - "rdfs:domain": { - "@id": "software:Package" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/cve", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "security:CvssV3VulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A CvssV3VulnAssessmentRelationship relationship describes the determined score,\nseverity, and vector of a vulnerability using version [3.0](https://www.first.org/cvss/v3.0/specification-document) or [3.1](https://www.first.org/cvss/v3.1/specification-document) of the Common\nVulnerability Scoring System (CVSS). It is intended to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'NONE', 'LOW', 'MEDIUM', 'HIGH' or 'CRITICAL'.\n- The relationship type must be set to `hasAssessmentFor`.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV3VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"score\": 6.8,\n \"severity\": \"MEDIUM\",\n \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\",\n \"from\": \"urn:spdx.dev:vuln-cve-2020-28498\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:npm-elliptic-6.5.2\",\n \"externalRefs\": [\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28498\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityAdvisory\",\n \"locator\": \"https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityFix\",\n \"locator\": \"https://github.com/indutny/elliptic/commit/441b742\"\n }\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-05-06T10:06:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\",\n \"relationshipType\": \"publishedBy\",\n \"from\": \"urn:spdx.dev:cvssv3-cve-2020-28498\",\n \"to\": \"urn:spdx.dev:agent-snyk\",\n \"startTime\": \"2021-03-08T16:06:50Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VulnAssessmentRelationship" - }, - "sh:property": [ - { - "@id": "_:Nee7a098fbcc4428a8ed9fb8efc5793e1" - }, - { - "@id": "_:N3ba243349bfd46529ee754371305f8f0" - }, - { - "@id": "_:Nbf7b1a93840e4a51bc36af46d197d1f0" - } - ] - }, - { - "@id": "_:Nee7a098fbcc4428a8ed9fb8efc5793e1", - "sh:datatype": { - "@id": "xsd:decimal" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "score", - "sh:path": { - "@id": "security:score" - } - }, - { - "@id": "_:N3ba243349bfd46529ee754371305f8f0", - "sh:class": { - "@id": "security:CvssSeverityType" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "severity", - "sh:path": { - "@id": "security:severity" - } - }, - { - "@id": "_:Nbf7b1a93840e4a51bc36af46d197d1f0", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "vectorString", - "sh:path": { - "@id": "security:vectorString" - } - }, - { - "@id": "core:externalIdentifierType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An externalIdentifierType specifies the type of the external identifier.", - "rdfs:domain": { - "@id": "core:ExternalIdentifier" - }, - "rdfs:range": { - "@id": "core:ExternalIdentifierType" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/LifecycleScopeType/other", - "@type": [ - "owl:NamedIndividual", - "core:LifecycleScopeType" - ] - }, - { - "@id": "core:Bundle", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A bundle is a collection of Elements that have a shared context.", - "rdfs:subClassOf": { - "@id": "core:ElementCollection" - }, - "sh:property": { - "@id": "_:N6390994db7b24bc7b36644a43b77850a" - } - }, - { - "@id": "_:N6390994db7b24bc7b36644a43b77850a", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "context", - "sh:path": { - "@id": "core:context" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/executable", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "core:verifiedUsing", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "VerifiedUsing provides an IntegrityMethod with which the integrity of an Element can be asserted.", - "rdfs:range": { - "@id": "core:IntegrityMethod" - }, - "sh:or": { - "@list": [ - { - "@id": "_:Nd4e6a811ae164aaf8af4efe0c91441af" - } - ] - } - }, - { - "@id": "_:Nd4e6a811ae164aaf8af4efe0c91441af", - "rdfs:domain": [ - { - "@id": "core:ExternalMap" - }, - { - "@id": "core:Element" - } - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/design", - "@type": [ - "owl:NamedIndividual", - "software:SbomType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityThreatModel", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "security:publishedTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Specifies the time when a vulnerability was first published.", - "rdfs:range": { - "@id": "core:DateTime" - }, - "sh:or": { - "@list": [ - { - "@id": "_:Nc58d22452f5b4881bba9635927a0d9ec" - } - ] - } - }, - { - "@id": "_:Nc58d22452f5b4881bba9635927a0d9ec", - "rdfs:domain": [ - { - "@id": "security:VulnAssessmentRelationship" - }, - { - "@id": "security:Vulnerability" - }, - { - "@id": "security:EpssVulnAssessmentRelationship" - } - ] - }, - { - "@id": "expandedlicensing:standardLicenseTemplate", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A standardLicenseTemplate contains a license template which describes\nsections of the License text which can be varied. See the Legacy Text Template\nformat section of the SPDX specification for format information.", - "rdfs:domain": { - "@id": "expandedlicensing:License" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "security:CvssV4VulnAssessmentRelationship", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A CvssV4VulnAssessmentRelationship relationship describes the determined score, severity, and vector of a vulnerability using version 4 of the Common Vulnerability Scoring System (CVSS) as defined on [https://www.first.org/cvss/v4.0/specification-document](https://www.first.org/cvss/v4.0/specification-document). It is intented to communicate the results of using a CVSS calculator.\n\n**Constraints**\n\n- The value of severity must be one of 'NONE', 'LOW', 'MEDIUM', 'HIGH' or 'CRITICAL'.\n- The relationship type must be set to hasAssessmentFor.\n\n**Syntax**\n\n```json\n{\n \"@type\": \"CvssV4VulnAssessmentRelationship\",\n \"@id\": \"urn:spdx.dev:cvssv4-cve-2021-44228\",\n \"relationshipType\": \"hasAssessmentFor\",\n \"severity\": \"MEDIUM\",\n \"score\": 10.0,\n \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/AR:N/UI:N/VCH/VI:H/VA:H/SC:H/SI:H/SA:H/E:A\",\n \"from\": \"urn:spdx.dev:vuln-cve-2021-44228\",\n \"to\": [\"urn:product-acme-application-1.3\"],\n \"assessedElement\": \"urn:apache-log4j-2.14.1\",\n \"externalRefs\": [\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityAdvisory\",\n \"locator\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-44228\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityAdvisory\",\n \"locator\": \"https://logging.apache.org/log4j/2.x/security.html\"\n },\n {\n \"@type\": \"ExternalRef\",\n \"externalRefType\": \"securityOther\",\n \"locator\": \" https://www.first.org/cvss/v4.0/examples#Apache-log4j-JNDI-Command-Execution-log4shell-Vulnerability-CVE-2021-44228\"\n },\n ],\n \"suppliedBy\": [\"urn:spdx.dev:agent-my-security-vendor\"],\n \"publishedTime\": \"2023-10-05T23:09:13Z\"\n},\n{\n \"@type\": \"Relationship\",\n \"@id\": \"urn:spdx.dev:vulnAgentRel-1\",\n \"relationshipType\": \"publishedBy\",\n \"from\": \"urn:spdx.dev:cvssv4-cve-2021-44228\",\n \"to\": \"urn:spdx.dev:agent-apache.org\",\n \"startTime\": \"2021-12-11T18:39:00Z\"\n}\n```", - "rdfs:subClassOf": { - "@id": "security:VulnAssessmentRelationship" - }, - "sh:property": [ - { - "@id": "_:N2605c40864694f7f809e00ba4f5e8202" - }, - { - "@id": "_:N2c9f689a67b041ae8d867ee112241302" - }, - { - "@id": "_:N7505e6816509445180af8500640f54b4" - } - ] - }, - { - "@id": "_:N2605c40864694f7f809e00ba4f5e8202", - "sh:datatype": { - "@id": "xsd:decimal" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "score", - "sh:path": { - "@id": "security:score" - } - }, - { - "@id": "_:N2c9f689a67b041ae8d867ee112241302", - "sh:class": { - "@id": "security:CvssSeverityType" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "severity", - "sh:path": { - "@id": "security:severity" - } - }, - { - "@id": "_:N7505e6816509445180af8500640f54b4", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "vectorString", - "sh:path": { - "@id": "security:vectorString" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/buildMeta", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "expandedlicensing:CustomLicense", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A CustomLicense represents a License that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", - "rdfs:subClassOf": { - "@id": "expandedlicensing:License" - } - }, - { - "@id": "core:relationshipType", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "This field provides information about the relationship between two Elements.\nFor example, you can represent a relationship between two different Files,\nbetween a Package and a File, between two Packages, or between one SPDXDocument and another SPDXDocument.", - "rdfs:domain": { - "@id": "core:Relationship" - }, - "rdfs:range": { - "@id": "core:RelationshipType" - } - }, - { - "@id": "build:buildEndTime", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "buildEndTime describes the time at which a build stops or finishes. This value is typically recorded by the builder.", - "rdfs:domain": { - "@id": "build:Build" - }, - "rdfs:range": { - "@id": "core:DateTime" - } - }, - { - "@id": "core:specVersion", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The specVersion provides a reference number that can be used to understand how to parse and interpret an Element.\nIt will enable both future changes to the specification and to support backward compatibility.\nThe major version number shall be incremented when incompatible changes between versions are made\n(one or more sections are created, modified or deleted).\nThe minor version number shall be incremented when backwards compatible changes are made.\n\nHere, parties exchanging information in accordance with the SPDX specification need to provide \n100% transparency as to which SPDX specification version such information is conforming to.", - "rdfs:domain": { - "@id": "core:CreationInfo" - }, - "rdfs:range": { - "@id": "core:SemVer" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/chat", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasDataFile", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/socialMedia", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "core:SpdxDocument", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "The SpdxDocument provides a convenient way to express information about collections of SPDX Elements that could potentially be serialized as complete\nunits (e.g., all in-scope SPDX data within a single JSON-LD file). SpdxDocument is independent of any particular serialization format or instance.\nInformation we wish to preserve about a specific instance of serialization of this SPDX content is NOT expressed using the SpdxDocument but rather using an associated Artifact representing a particular instance of SPDX data physical serialization.\n\nAny instance of serialization of SPDX data MUST NOT contain more than one SpdxDocument element definition.", - "rdfs:subClassOf": { - "@id": "core:ElementCollection" - }, - "sh:property": [ - { - "@id": "_:N1737455c41a341529e5bf14320e080aa" - }, - { - "@id": "_:N81c48c773c264f27b4de12f801bbb1e3" - }, - { - "@id": "_:Nd11b82cc01f34e2ca9bab40c0863550c" - } - ] - }, - { - "@id": "_:N1737455c41a341529e5bf14320e080aa", - "sh:class": { - "@id": "core:ExternalMap" - }, - "sh:name": "imports", - "sh:path": { - "@id": "core:imports" - } - }, - { - "@id": "_:N81c48c773c264f27b4de12f801bbb1e3", - "sh:class": { - "@id": "core:NamespaceMap" - }, - "sh:name": "namespaceMap", - "sh:path": { - "@id": "core:namespaceMap" - } - }, - { - "@id": "_:Nd11b82cc01f34e2ca9bab40c0863550c", - "sh:class": { - "@id": "simplelicensing:AnyLicenseInfo" - }, - "sh:maxCount": 1, - "sh:name": "dataLicense", - "sh:path": { - "@id": "core:dataLicense" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/text", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/bom", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/amendedBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityPenTestReport", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasExample", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "security:CvssSeverityType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/high" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/none" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/low" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/critical" - }, - { - "@id": "https://spdx.org/rdf/v3/Security/CvssSeverityType/medium" - } - ] - }, - "rdfs:comment": "CvssSeverityType specifies the CVSS severity type, defined in the CVSS specifications as the textual representation of the numeric CVSS score. The severity type entries are inclusive of and applicable to enumerations found in CVSS versions [3](https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale) and [4](https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale). CvssSeverityType is a mandatory field because baseSeverity is required in the CVSS version [3.0](https://www.first.org/cvss/cvss-v3.0.json), [3.1](https://www.first.org/cvss/cvss-v3.1.json), and [4.0](https://www.first.org/cvss/cvss-v4.0.json) schemas. The field can be used to document the base, temporal, threat, or environmental severity." - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/altDownloadLocation", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ProfileIdentifierType/ai", - "@type": [ - "owl:NamedIndividual", - "core:ProfileIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/filesystemImage", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "expandedlicensing:additionText", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "An additionText contains the plain text of the LicenseAddition, without\ntemplating or other similar markup.\n\nUsers of the additionText for a License can apply the SPDX Matching Guidelines\nwhen comparing it to another text for matching purposes.", - "rdfs:domain": { - "@id": "expandedlicensing:LicenseAddition" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "core:contentType", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "ContentType specifies the media type of an Element or Property.", - "rdfs:range": { - "@id": "core:MediaType" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N2737f4bd5a624b75b8f09b0e2e12b225" - } - ] - } - }, - { - "@id": "_:N2737f4bd5a624b75b8f09b0e2e12b225", - "rdfs:domain": [ - { - "@id": "core:ExternalRef" - }, - { - "@id": "core:Annotation" - } - ] - }, - { - "@id": "core:ExternalRefType", - "@type": "owl:Class", - "ns0:term_status": "Stable", - "owl:oneOf": { - "@list": [ - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityAdversaryModel" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/productMetadata" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityAdvisory" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityThreatModel" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/metrics" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/secureSoftwareAttestation" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/dynamicAnalysisReport" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/altWebPage" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/issueTracker" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/exportControlAssessment" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/documentation" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/buildSystem" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/eolNotice" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityOther" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/buildMeta" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/releaseNotes" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/privacyAssessment" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/bower" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/other" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/chat" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/socialMedia" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/qualityAssessmentReport" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/staticAnalysisReport" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/mailingList" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/certificationReport" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityFix" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/releaseHistory" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/npm" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/purchaseOrder" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/riskAssessment" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityPenTestReport" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/funding" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/altDownloadLocation" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/mavenCentral" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/binaryArtifact" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/license" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/runtimeAnalysisReport" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/vulnerabilityExploitabilityAssessment" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/vcs" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/sourceArtifact" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/componentAnalysisReport" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/support" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/vulnerabilityDisclosureReport" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/securityPolicy" - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/nuget" - } - ] - }, - "rdfs:comment": "ExternalRefType specifies the type of an external reference." - }, - { - "@id": "expandedlicensing:isDeprecatedLicenseId", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "The isDeprecatedLicenseId property specifies whether an identifier for a\nLicense or LicenseAddition has been marked as deprecated. If the property\nis not defined, then it is presumed to be false (i.e., not deprecated).\n\nIf the License or LicenseAddition is included on the SPDX License List, then\nthe `deprecatedVersion` property indicates on which version release of the\nLicense List it was first marked as deprecated.\n\n\"Deprecated\" in this context refers to deprecating the use of the\n_identifier_, not the underlying license. In other words, even if a License's\nauthor or steward has stated that a particular License generally should not be\nused, that would _not_ mean that the License's identifier is \"deprecated.\"\nRather, a License or LicenseAddition operator is typically marked as\n\"deprecated\" when it is determined that use of another identifier is\npreferable.", - "rdfs:domain": { - "@id": "expandedlicensing:License" - }, - "rdfs:range": { - "@id": "xsd:boolean" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/blake2b256", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/metrics", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "dataset:knownBias", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "KnownBias is a free form text field that describes the different biases that the dataset encompasses.", - "rdfs:domain": { - "@id": "dataset:Dataset" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/application", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/foundBy", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Dataset/DatasetType/syntactic", - "@type": [ - "owl:NamedIndividual", - "dataset:DatasetType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/HashAlgorithm/blake3", - "@type": [ - "owl:NamedIndividual", - "core:HashAlgorithm" - ] - }, - { - "@id": "core:Annotation", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "An Annotation is an assertion made in relation to one or more elements. The `contentType` property describes the format of the `statement` property.", - "rdfs:subClassOf": { - "@id": "core:Element" - }, - "sh:property": [ - { - "@id": "_:Na1a7ea20afc7408e9daebd4d22686613" - }, - { - "@id": "_:N992a8e924dda4b75a24e81f04c23a66b" - }, - { - "@id": "_:N7ca7b39fa98a4ab6a0a959d756e8e35b" - }, - { - "@id": "_:Nce6cb86978894466a2df2f1a22f6575f" - } - ] - }, - { - "@id": "_:Na1a7ea20afc7408e9daebd4d22686613", - "sh:class": { - "@id": "core:AnnotationType" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "annotationType", - "sh:path": { - "@id": "core:annotationType" - } - }, - { - "@id": "_:N992a8e924dda4b75a24e81f04c23a66b", - "sh:datatype": { - "@id": "core:MediaType" - }, - "sh:maxCount": 1, - "sh:name": "contentType", - "sh:path": { - "@id": "core:contentType" - } - }, - { - "@id": "_:N7ca7b39fa98a4ab6a0a959d756e8e35b", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:name": "statement", - "sh:path": { - "@id": "core:statement" - } - }, - { - "@id": "_:Nce6cb86978894466a2df2f1a22f6575f", - "sh:class": { - "@id": "core:Element" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "subject", - "sh:path": { - "@id": "core:subject" - } - }, - { - "@id": "core:definingArtifact", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A definingArtifact property is used to link the Element identifier for an Element defined external to a given SpdxDocument to an Artifact Element representing the SPDX serialization instance which contains the definition for the Element.", - "rdfs:domain": { - "@id": "core:ExternalMap" - }, - "rdfs:range": { - "@id": "core:Artifact" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/file", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Security/ExploitCatalogType/other", - "@type": [ - "owl:NamedIndividual", - "security:ExploitCatalogType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasTestCase", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "software:copyrightText", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A copyrightText consists of the text(s) of the copyright notice(s) found\nfor a software Package, File or Snippet, if any.\n\nIf a copyrightText contains text, then it may contain any text related to\none or more copyright notices (even if not complete) for that software\nPackage, File or Snippet.\n\nIf a copyrightText has a \"NONE\" value, this indicates that the software\nPackage, File or Snippet contains no copyright notice whatsoever.\n\nIf a copyrightText has a \"NOASSERTION\" value, this indicates that one of the\nfollowing applies:\n* the SPDX data creator has attempted to but cannot reach a reasonable\n objective determination;\n* the SPDX data creator has made no attempt to determine this field; or\n* the SPDX data creator has intentionally provided no information (no\n meaning should be implied by doing so).", - "rdfs:domain": { - "@id": "software:SoftwareArtifact" - }, - "rdfs:range": { - "@id": "xsd:string" - } - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/purchaseOrder", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "simplelicensing:SimpleLicensingText", - "@type": [ - "owl:Class", - "sh:NodeShape" - ], - "ns0:term_status": "Stable", - "rdfs:comment": "A SimpleLicensingText represents a License or Addition that is not listed on the SPDX License\nList at https://spdx.org/licenses, and is therefore defined by an SPDX data\ncreator.", - "rdfs:subClassOf": { - "@id": "core:Element" - }, - "sh:property": { - "@id": "_:Ne317b233f9ed4b1c944e2a7045e09f48" - } - }, - { - "@id": "_:Ne317b233f9ed4b1c944e2a7045e09f48", - "sh:datatype": { - "@id": "xsd:string" - }, - "sh:maxCount": 1, - "sh:minCount": 1, - "sh:name": "licenseText", - "sh:path": { - "@id": "simplelicensing:licenseText" - } - }, - { - "@id": "expandedlicensing:deprecatedVersion", - "@type": "owl:DatatypeProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "A deprecatedVersion for a ListedLicense or ListedLicenseException on the SPDX\nLicense List specifies which version release of the License List was the first\none in which it was marked as deprecated.", - "rdfs:range": { - "@id": "xsd:string" - }, - "sh:or": { - "@list": [ - { - "@id": "_:N5ae11738063741c89f56c934a0f26af2" - } - ] - } - }, - { - "@id": "_:N5ae11738063741c89f56c934a0f26af2", - "rdfs:domain": [ - { - "@id": "expandedlicensing:ListedLicense" - }, - { - "@id": "expandedlicensing:ListedLicenseException" - } - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/diskImage", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/RelationshipType/hasAssessmentFor", - "@type": [ - "owl:NamedIndividual", - "core:RelationshipType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalRefType/runtimeAnalysisReport", - "@type": [ - "owl:NamedIndividual", - "core:ExternalRefType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Core/ExternalIdentifierType/cpe22", - "@type": [ - "owl:NamedIndividual", - "core:ExternalIdentifierType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SbomType/deployed", - "@type": [ - "owl:NamedIndividual", - "software:SbomType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Security/SsvcDecisionType/attend", - "@type": [ - "owl:NamedIndividual", - "security:SsvcDecisionType" - ] - }, - { - "@id": "https://spdx.org/rdf/v3/Software/SoftwarePurpose/archive", - "@type": [ - "owl:NamedIndividual", - "software:SoftwarePurpose" - ] - }, - { - "@id": "ai:metricDecisionThreshold", - "@type": "owl:ObjectProperty", - "ns0:term_status": "Stable", - "rdfs:comment": "Each metric might be computed based on a decision threshold. \nFor instance, precision or recall is typically computed by checking\nif the probability of the outcome is larger than 0.5.\nEach decision threshold should match with a metric field defined in the AI Package.", - "rdfs:domain": { - "@id": "ai:AIPackage" - }, - "rdfs:range": { - "@id": "core:DictionaryEntry" - } - } - ] -} \ No newline at end of file diff --git a/Library/Homebrew/sbom.rb b/Library/Homebrew/sbom.rb index f1302034b2530..56b0cf239c8ad 100644 --- a/Library/Homebrew/sbom.rb +++ b/Library/Homebrew/sbom.rb @@ -10,7 +10,7 @@ # Rather than calling `new` directly, use one of the class methods like {SBOM.create}. class SBOM FILENAME = "sbom.spdx.json" - SCHEMA_FILE = (HOMEBREW_LIBRARY_PATH/"data/schemas/sbom.spdx.schema.3.json").freeze + SCHEMA_FILE = (HOMEBREW_LIBRARY_PATH/"data/schemas/sbom.json").freeze # Instantiates a {SBOM} for a new installation of a formula. sig { params(formula: Formula, tab: Tab).returns(T.attached_class) } @@ -293,7 +293,7 @@ def full_spdx_runtime_dependencies(bottling:) { referenceCategory: "PACKAGE-MANAGER", referenceLocator: "pkg:brew/#{dependency["full_name"]}@#{dependency["pkg_version"]}", - referenceType: :purl, + referenceType: "purl", }, ], } @@ -341,7 +341,7 @@ def to_spdx_sbom(bottling:) spdxVersion: "SPDX-2.3", name: "SBOM-SPDX-#{name}-#{spec_version}", creationInfo: { - created: (Time.at(time).utc if time.present? && !bottling), + created: (Time.at(time).utc.iso8601 if time.present? && !bottling), creators: ["Tool: https://github.com/homebrew/brew@#{homebrew_version}"], }, dataLicense: "CC0-1.0", diff --git a/Library/Homebrew/test/sbom_spec.rb b/Library/Homebrew/test/sbom_spec.rb index 2a481e0368bb3..3397dce1306f9 100644 --- a/Library/Homebrew/test/sbom_spec.rb +++ b/Library/Homebrew/test/sbom_spec.rb @@ -68,5 +68,12 @@ sbom = described_class.create(f, tab) expect(sbom).to be_valid end + + it "returns false if an SBOM is invalid" do + f = formula { url "foo-1.0" } + sbom = described_class.create(f, Tab.new) + allow(sbom).to receive(:to_spdx_sbom).and_return({}) # fake an empty SBOM + expect(sbom).not_to be_valid + end end end From 42a6b59de569200bcaaa4d2b8515e6ad6d55670d Mon Sep 17 00:00:00 2001 From: Mike McQuaid Date: Thu, 8 Aug 2024 09:34:32 +0100 Subject: [PATCH 2/2] sbom: fix errors, improve reproducibility, tests. - Remove/change data from bottle SBOM to avoid harming reproduciblity - Add `schema_validation_errors` method to provide nicer test failures - Add tests more tests for SBOM when bottling - Cleanup SBOM tests to use more typical RSpec form and be DRYer --- Library/Homebrew/sbom.rb | 50 ++++++----- Library/Homebrew/test/sbom_spec.rb | 130 +++++++++++++++++------------ 2 files changed, 105 insertions(+), 75 deletions(-) diff --git a/Library/Homebrew/sbom.rb b/Library/Homebrew/sbom.rb index 56b0cf239c8ad..deb2c43e51da0 100644 --- a/Library/Homebrew/sbom.rb +++ b/Library/Homebrew/sbom.rb @@ -22,18 +22,11 @@ def self.create(formula, tab) end active_spec_sym = formula.active_spec_sym - homebrew_version_maybe_dev = if (match_data = HOMEBREW_VERSION.match(/^[\d.]+/)) - suffix = "-dev" if HOMEBREW_VERSION.include?("-") - match_data[0] + suffix.to_s - else - HOMEBREW_VERSION - end - attributes = { name: formula.name, - homebrew_version: homebrew_version_maybe_dev, + homebrew_version: HOMEBREW_VERSION, spdxfile: SBOM.spdxfile(formula), - time: tab.time, + time: tab.time || Time.now, source_modified_time: tab.source_modified_time.to_i, compiler: tab.compiler, stdlib: tab.stdlib, @@ -92,22 +85,27 @@ def self.schema @schema ||= JSON.parse(SCHEMA_FILE.read, freeze: true) end - sig { params(bottling: T::Boolean).returns(T::Boolean) } - def valid?(bottling: false) + sig { params(bottling: T::Boolean).returns(T::Array[T::Hash[String, T.untyped]]) } + def schema_validation_errors(bottling: false) unless require? "json_schemer" error_message = "Need json_schemer to validate SBOM, run `brew install-bundler-gems --add-groups=bottle`!" odie error_message if ENV["HOMEBREW_ENFORCE_SBOM"] - return true + return [] end schemer = JSONSchemer.schema(SBOM.schema) data = to_spdx_sbom(bottling:) - return true if schemer.valid?(data) + + schemer.validate(data).map { |error| error["error"] } + end + + sig { params(bottling: T::Boolean).returns(T::Boolean) } + def valid?(bottling: false) + validation_errors = schema_validation_errors(bottling:) + return true if validation_errors.empty? opoo "SBOM validation errors:" - schemer.validate(data).to_a.each do |error| - puts error["error"] - end + validation_errors.each(&:puts) odie "Failed to validate SBOM against JSON schema!" if ENV["HOMEBREW_ENFORCE_SBOM"] @@ -210,7 +208,7 @@ def generate_packages_json(runtime_dependency_declaration, compiler_declaration, filesAnalyzed: false, licenseDeclared: assert_value(nil), builtDate: source_modified_time.to_s, - licenseConcluded: license, + licenseConcluded: assert_value(license), downloadLocation: bottle_info.fetch("url"), copyrightText: assert_value(nil), externalRefs: [ @@ -323,8 +321,8 @@ def to_spdx_sbom(bottling:) if stdlib.present? compiler_info["SPDXRef-Stdlib"] = { SPDXID: "SPDXRef-Stdlib", - name: stdlib, - versionInfo: stdlib, + name: stdlib.to_s, + versionInfo: stdlib.to_s, filesAnalyzed: false, licenseDeclared: assert_value(nil), licenseConcluded: assert_value(nil), @@ -335,15 +333,21 @@ def to_spdx_sbom(bottling:) } end + # Improve reproducibility when bottling. + if bottling + created = source_modified_time.iso8601 + creators = ["Tool: https://github.com/Homebrew/brew"] + else + created = Time.at(time).utc.iso8601 + creators = ["Tool: https://github.com/Homebrew/brew@#{homebrew_version}"] + end + packages = generate_packages_json(runtime_full, compiler_info, bottling:) { SPDXID: "SPDXRef-DOCUMENT", spdxVersion: "SPDX-2.3", name: "SBOM-SPDX-#{name}-#{spec_version}", - creationInfo: { - created: (Time.at(time).utc.iso8601 if time.present? && !bottling), - creators: ["Tool: https://github.com/homebrew/brew@#{homebrew_version}"], - }, + creationInfo: { created:, creators: }, dataLicense: "CC0-1.0", documentNamespace: "https://formulae.brew.sh/spdx/#{name}-#{spec_version}.json", documentDescribes: packages.map { |dependency| dependency[:SPDXID] }, diff --git a/Library/Homebrew/test/sbom_spec.rb b/Library/Homebrew/test/sbom_spec.rb index 3397dce1306f9..adf79fb7d81ef 100644 --- a/Library/Homebrew/test/sbom_spec.rb +++ b/Library/Homebrew/test/sbom_spec.rb @@ -3,77 +3,103 @@ require "sbom" RSpec.describe SBOM do - describe "#valid?" do - it "returns true if a minimal SBOM is valid" do - f = formula { url "foo-1.0" } - sbom = described_class.create(f, Tab.new) - expect(sbom).to be_valid - end + describe "#schema_validation_errors" do + subject(:sbom) { described_class.create(f, tab) } - it "returns true if a maximal SBOM is valid" do - f = formula do - homepage "https://brew.sh" + before { ENV.delete("HOMEBREW_ENFORCE_SBOM") } - url "https://brew.sh/test-0.1.tbz" - sha256 TEST_SHA256 + let(:f) { formula { url "foo-1.0" } } + let(:tab) { Tab.new } - patch do - url "patch_macos" - end + it "returns true if valid" do + expect(sbom.schema_validation_errors).to be_empty + end - bottle do - sha256 all: "9befdad158e59763fb0622083974a6252878019702d8c961e1bec3a5f5305339" - end + it "returns true if valid when bottling" do + expect(sbom.schema_validation_errors(bottling: true)).to be_empty + end - # some random dependencies to test with - depends_on "cmake" => :build - depends_on "beanstalkd" + context "with a maximal SBOM" do + let(:f) do + formula do + homepage "https://brew.sh" - uses_from_macos "python" => :build - uses_from_macos "zlib" - end + url "https://brew.sh/test-0.1.tbz" + sha256 TEST_SHA256 - beanstalkd = formula "beanstalkd" do - url "one-1.1" + patch do + url "patch_macos" + end - bottle do - sha256 all: "ac4c0330b70dae06eaa8065bfbea78dda277699d1ae8002478017a1bd9cf1908" + bottle do + sha256 all: "9befdad158e59763fb0622083974a6252878019702d8c961e1bec3a5f5305339" + end + + # some random dependencies to test with + depends_on "cmake" => :build + depends_on "beanstalkd" + + uses_from_macos "python" => :build + uses_from_macos "zlib" end end + let(:tab) do + beanstalkd = formula "beanstalkd" do + url "one-1.1" - zlib = formula "zlib" do - url "two-1.1" + bottle do + sha256 all: "ac4c0330b70dae06eaa8065bfbea78dda277699d1ae8002478017a1bd9cf1908" + end + end - bottle do - sha256 all: "6a4642964fe5c4d1cc8cd3507541736d5b984e34a303a814ef550d4f2f8242f9" + zlib = formula "zlib" do + url "two-1.1" + + bottle do + sha256 all: "6a4642964fe5c4d1cc8cd3507541736d5b984e34a303a814ef550d4f2f8242f9" + end end - end - runtime_dependencies = [beanstalkd, zlib] - runtime_deps_hash = runtime_dependencies.map do |dep| - { - "full_name" => dep.full_name, - "version" => dep.version.to_s, - "revision" => dep.revision, - "pkg_version" => dep.pkg_version.to_s, - "declared_directly" => true, - } + runtime_dependencies = [beanstalkd, zlib] + runtime_deps_hash = runtime_dependencies.map do |dep| + { + "full_name" => dep.full_name, + "version" => dep.version.to_s, + "revision" => dep.revision, + "pkg_version" => dep.pkg_version.to_s, + "declared_directly" => true, + } + end + allow(Tab).to receive(:runtime_deps_hash).and_return(runtime_deps_hash) + tab = Tab.create(f, DevelopmentTools.default_compiler, :libcxx) + + allow(Formulary).to receive(:factory).with("beanstalkd").and_return(beanstalkd) + allow(Formulary).to receive(:factory).with("zlib").and_return(zlib) + + tab end - expect(Tab).to receive(:runtime_deps_hash).and_return(runtime_deps_hash) - tab = Tab.create(f, DevelopmentTools.default_compiler, :libcxx) - expect(Formulary).to receive(:factory).with("beanstalkd").and_return(beanstalkd) - expect(Formulary).to receive(:factory).with("zlib").and_return(zlib) + it "returns true if valid" do + expect(sbom.schema_validation_errors).to be_empty + end - sbom = described_class.create(f, tab) - expect(sbom).to be_valid + it "returns true if valid when bottling" do + expect(sbom.schema_validation_errors(bottling: true)).to be_empty + end end - it "returns false if an SBOM is invalid" do - f = formula { url "foo-1.0" } - sbom = described_class.create(f, Tab.new) - allow(sbom).to receive(:to_spdx_sbom).and_return({}) # fake an empty SBOM - expect(sbom).not_to be_valid + context "with an invalid SBOM" do + before do + allow(sbom).to receive(:to_spdx_sbom).and_return({}) # fake an empty SBOM + end + + it "returns false" do + expect(sbom.schema_validation_errors).not_to be_empty + end + + it "returns false when bottling" do + expect(sbom.schema_validation_errors(bottling: true)).not_to be_empty + end end end end