1SPDXID: SPDXRef-DOCUMENT 2annotations: 3- annotationDate: "2010-01-29T18:30:22Z" 4 annotationType: OTHER 5 annotator: 'Person: Jane Doe ()' 6 comment: Document level annotation 7- annotationDate: "2010-02-10T00:00:00Z" 8 annotationType: REVIEW 9 annotator: 'Person: Joe Reviewer' 10 comment: This is just an example. Some of the non-standard licenses look like they 11 are actually BSD 3 clause licenses 12- annotationDate: "2011-03-13T00:00:00Z" 13 annotationType: REVIEW 14 annotator: 'Person: Suzanne Reviewer' 15 comment: Another example reviewer. 16comment: This document was created using SPDX 2.0 using licenses from the web site. 17creationInfo: 18 comment: |- 19 This package has been shipped in source and binary form. 20 The binaries were created with gcc 4.5.1 and expect to link to 21 compatible system run time libraries. 22 created: "2010-01-29T18:30:22Z" 23 creators: 24 - 'Tool: LicenseFind-1.0' 25 - 'Organization: ExampleCodeInspect ()' 26 - 'Person: Jane Doe ()' 27 licenseListVersion: "3.9" 28dataLicense: CC0-1.0 29documentNamespace: http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 30externalDocumentRefs: 31- checksum: 32 algorithm: SHA1 33 checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759 34 externalDocumentId: DocumentRef-spdx-tool-1.2 35 spdxDocument: http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301 36files: 37- SPDXID: SPDXRef-DoapSource 38 checksums: 39 - algorithm: SHA1 40 checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 41 copyrightText: Copyright 2010, 2011 Source Auditor Inc. 42 fileContributors: 43 - Protecode Inc. 44 - SPDX Technical Team Members 45 - Open Logic Inc. 46 - Source Auditor Inc. 47 - Black Duck Software In.c 48 fileName: ./src/org/spdx/parser/DOAPProject.java 49 fileTypes: 50 - SOURCE 51 licenseConcluded: Apache-2.0 52 licenseInfoInFiles: 53 - Apache-2.0 54- SPDXID: SPDXRef-CommonsLangSrc 55 checksums: 56 - algorithm: SHA1 57 checksumValue: c2b4e1c67a2d28fced849ee1bb76e7391b93f125 58 comment: This file is used by Jena 59 copyrightText: Copyright 2001-2011 The Apache Software Foundation 60 fileContributors: 61 - Apache Software Foundation 62 fileName: ./lib-source/commons-lang3-3.1-sources.jar 63 fileTypes: 64 - ARCHIVE 65 licenseConcluded: Apache-2.0 66 licenseInfoInFiles: 67 - Apache-2.0 68 noticeText: |- 69 Apache Commons Lang 70 Copyright 2001-2011 The Apache Software Foundation 71 72 This product includes software developed by 73 The Apache Software Foundation (http://www.apache.org/). 74 75 This product includes software from the Spring Framework, 76 under the Apache License 2.0 (see: StringUtils.containsWhitespace()) 77- SPDXID: SPDXRef-JenaLib 78 checksums: 79 - algorithm: SHA1 80 checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 81 comment: This file belongs to Jena 82 copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 83 2009 Hewlett-Packard Development Company, LP 84 fileContributors: 85 - Apache Software Foundation 86 - Hewlett Packard Inc. 87 fileName: ./lib-source/jena-2.6.3-sources.jar 88 fileTypes: 89 - ARCHIVE 90 licenseComments: This license is used by Jena 91 licenseConcluded: LicenseRef-1 92 licenseInfoInFiles: 93 - LicenseRef-1 94- SPDXID: SPDXRef-File 95 annotations: 96 - annotationDate: "2011-01-29T18:30:22Z" 97 annotationType: OTHER 98 annotator: 'Person: File Commenter' 99 comment: File level annotation 100 checksums: 101 - algorithm: SHA1 102 checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2758 103 - algorithm: MD5 104 checksumValue: 624c1abb3664f4b35547e7c73864ad24 105 comment: |- 106 The concluded license was taken from the package level that the file was included in. 107 This information was found in the COPYING.txt file in the xyz directory. 108 copyrightText: Copyright 2008-2010 John Smith 109 fileContributors: 110 - The Regents of the University of California 111 - Modified by Paul Mundt [email protected] 112 - IBM Corporation 113 fileName: ./package/foo.c 114 fileTypes: 115 - SOURCE 116 licenseComments: The concluded license was taken from the package level that the 117 file was included in. 118 licenseConcluded: (LGPL-2.0-only OR LicenseRef-2) 119 licenseInfoInFiles: 120 - GPL-2.0-only 121 - LicenseRef-2 122 noticeText: "Copyright (c) 2001 Aaron Lehmann [email protected]\n\nPermission is 123 hereby granted, free of charge, to any person obtaining a copy of this software 124 and associated documentation files (the �Software�), to deal in the Software without 125 restriction, including without limitation the rights to use, copy, modify, merge, 126 publish, distribute, sublicense, and/or sell copies of the Software, and to permit 127 persons to whom the Software is furnished to do so, subject to the following conditions: 128 \nThe above copyright notice and this permission notice shall be included in all 129 copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED �AS 130 IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED 131 TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 132 \ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 133 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 134 ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 135 IN THE SOFTWARE." 136hasExtractedLicensingInfos: 137- extractedText: |- 138 /* 139 * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP 140 * All rights reserved. 141 * 142 * Redistribution and use in source and binary forms, with or without 143 * modification, are permitted provided that the following conditions 144 * are met: 145 * 1. Redistributions of source code must retain the above copyright 146 * notice, this list of conditions and the following disclaimer. 147 * 2. Redistributions in binary form must reproduce the above copyright 148 * notice, this list of conditions and the following disclaimer in the 149 * documentation and/or other materials provided with the distribution. 150 * 3. The name of the author may not be used to endorse or promote products 151 * derived from this software without specific prior written permission. 152 * 153 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 154 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 155 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 156 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 157 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 158 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 159 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 160 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 161 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 162 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 163 */ 164 licenseId: LicenseRef-1 165- extractedText: "This package includes the GRDDL parser developed by Hewlett Packard 166 under the following license:\n� Copyright 2007 Hewlett-Packard Development Company, 167 LP\n\nRedistribution and use in source and binary forms, with or without modification, 168 are permitted provided that the following conditions are met: \n\nRedistributions 169 of source code must retain the above copyright notice, this list of conditions 170 and the following disclaimer. \nRedistributions in binary form must reproduce 171 the above copyright notice, this list of conditions and the following disclaimer 172 in the documentation and/or other materials provided with the distribution. \nThe 173 name of the author may not be used to endorse or promote products derived from 174 this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED 175 BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT 176 NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 177 PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, 178 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 179 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 180 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 181 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 182 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 183 OF THE POSSIBILITY OF SUCH DAMAGE." 184 licenseId: LicenseRef-2 185- extractedText: |- 186 /* 187 * (c) Copyright 2009 University of Bristol 188 * All rights reserved. 189 * 190 * Redistribution and use in source and binary forms, with or without 191 * modification, are permitted provided that the following conditions 192 * are met: 193 * 1. Redistributions of source code must retain the above copyright 194 * notice, this list of conditions and the following disclaimer. 195 * 2. Redistributions in binary form must reproduce the above copyright 196 * notice, this list of conditions and the following disclaimer in the 197 * documentation and/or other materials provided with the distribution. 198 * 3. The name of the author may not be used to endorse or promote products 199 * derived from this software without specific prior written permission. 200 * 201 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 202 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 203 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 204 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 205 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 206 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 207 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 208 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 209 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 210 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 211 */ 212 licenseId: LicenseRef-4 213- comment: The beerware license has a couple of other standard variants. 214 extractedText: |- 215 "THE BEER-WARE LICENSE" (Revision 42): 216 phk@FreeBSD.ORG wrote this file. As long as you retain this notice you 217 can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp 218 licenseId: LicenseRef-Beerware-4.2 219 name: Beer-Ware License (Version 42) 220 seeAlsos: 221 - http://people.freebsd.org/~phk/ 222- comment: This is tye CyperNeko License 223 extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 224 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source 225 and binary forms, with or without\nmodification, are permitted provided that the 226 following conditions\nare met:\n\n1. Redistributions of source code must retain 227 the above copyright\n notice, this list of conditions and the following disclaimer. 228 \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, 229 this list of conditions and the following disclaimer in\n the documentation 230 and/or other materials provided with the\n distribution.\n\n3. The end-user 231 documentation included with the redistribution,\n if any, must include the following 232 acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n 233 \ Alternately, this acknowledgment may appear in the software itself,\n if 234 and wherever such third-party acknowledgments normally appear.\n\n4. The names 235 \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products 236 derived from this software without prior \n written permission. For written 237 permission, please contact \n [email protected].\n\n5. Products derived from 238 this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear 239 in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE 240 IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT 241 NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 242 PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE 243 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL 244 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; 245 LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND 246 ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 247 NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 248 \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 249 licenseId: LicenseRef-3 250 name: CyberNeko License 251 seeAlsos: 252 - http://people.apache.org/~andyc/neko/LICENSE 253 - http://justasample.url.com 254name: SPDX-Tools-v2.0 255packages: 256- SPDXID: SPDXRef-Package 257 annotations: 258 - annotationDate: "2011-01-29T18:30:22Z" 259 annotationType: OTHER 260 annotator: 'Person: Package Commenter' 261 comment: Package level annotation 262 attributionTexts: 263 - The GNU C Library is free software. See the file COPYING.LIB for copying conditions, 264 and LICENSES for notices about a few contributions that require these additional 265 notices to be distributed. License copyright years may be listed using range 266 notation, e.g., 1996-2015, indicating that every year in the range, inclusive, 267 is a copyrightable year that would otherwise be listed individually. 268 checksums: 269 - algorithm: MD5 270 checksumValue: 624c1abb3664f4b35547e7c73864ad24 271 - algorithm: SHA1 272 checksumValue: 85ed0817af83a24ad8da68c2b5094de69833983c 273 - algorithm: SHA256 274 checksumValue: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd 275 copyrightText: Copyright 2008-2010 John Smith 276 description: The GNU C Library defines functions that are specified by the ISO C 277 standard, as well as additional features specific to POSIX and other derivatives 278 of the Unix operating system, and extensions specific to GNU systems. 279 downloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz 280 externalRefs: 281 - comment: "" 282 referenceCategory: SECURITY 283 referenceLocator: cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:* 284 referenceType: cpe23Type 285 - comment: This is the external ref for Acme 286 referenceCategory: OTHER 287 referenceLocator: acmecorp/acmenator/4.1.3-alpha 288 referenceType: http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge 289 filesAnalyzed: true 290 homepage: http://ftp.gnu.org/gnu/glibc 291 licenseComments: The license for this project changed with the release of version 292 x.y. The version of the project included here post-dates the license change. 293 licenseConcluded: (LGPL-2.0-only OR LicenseRef-3) 294 licenseDeclared: (LGPL-2.0-only AND LicenseRef-3) 295 licenseInfoFromFiles: 296 - GPL-2.0-only 297 - LicenseRef-2 298 - LicenseRef-1 299 name: glibc 300 originator: 'Organization: ExampleCodeInspect ([email protected])' 301 packageFileName: glibc-2.11.1.tar.gz 302 packageVerificationCode: 303 packageVerificationCodeExcludedFiles: 304 - ./package.spdx 305 packageVerificationCodeValue: d6a770ba38583ed4bb4525bd96e50461655d2758 306 sourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. 307 summary: GNU C library. 308 supplier: 'Person: Jane Doe ([email protected])' 309 versionInfo: 2.11.1 310- SPDXID: SPDXRef-fromDoap-1 311 copyrightText: NOASSERTION 312 downloadLocation: NOASSERTION 313 homepage: http://commons.apache.org/proper/commons-lang/ 314 licenseConcluded: NOASSERTION 315 licenseDeclared: NOASSERTION 316 name: Apache Commons Lang 317- SPDXID: SPDXRef-fromDoap-0 318 copyrightText: NOASSERTION 319 downloadLocation: https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz 320 externalRefs: 321 - comment: "" 322 referenceCategory: PACKAGE_MANAGER 323 referenceLocator: pkg:maven/org.apache.jena/apache-jena@3.12.0 324 referenceType: purl 325 homepage: http://www.openjena.org/ 326 licenseConcluded: NOASSERTION 327 licenseDeclared: NOASSERTION 328 name: Jena 329 versionInfo: 3.12.0 330- SPDXID: SPDXRef-Saxon 331 checksums: 332 - algorithm: SHA1 333 checksumValue: 85ed0817af83a24ad8da68c2b5094de69833983c 334 copyrightText: Copyright Saxonica Ltd 335 description: The Saxon package is a collection of tools for processing XML documents. 336 downloadLocation: https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download 337 homepage: http://saxon.sourceforge.net/ 338 licenseComments: Other versions available for a commercial license 339 licenseConcluded: MPL-1.0 340 licenseDeclared: MPL-1.0 341 name: Saxon 342 packageFileName: saxonB-8.8.zip 343 versionInfo: "8.8" 344- SPDXID: SPDXRef-CentOS-7 345 builtDate: "2021-09-15T02:38:00Z" 346 copyrightText: NOASSERTION 347 description: The CentOS container used to run the application. 348 downloadLocation: NOASSERTION 349 homepage: https://www.centos.org/ 350 name: centos 351 packageFileName: saxonB-8.8.zip 352 primaryPackagePurpose: CONTAINER 353 releaseDate: "2021-10-15T02:38:00Z" 354 validUntilDate: "2022-10-15T02:38:00Z" 355 versionInfo: centos7.9.2009 356relationships: 357- comment: A relationship comment 358 relatedSpdxElement: SPDXRef-Package 359 relationshipType: CONTAINS 360 spdxElementId: SPDXRef-DOCUMENT 361- relatedSpdxElement: DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement 362 relationshipType: COPY_OF 363 spdxElementId: SPDXRef-DOCUMENT 364- relatedSpdxElement: SPDXRef-File 365 relationshipType: DESCRIBES 366 spdxElementId: SPDXRef-DOCUMENT 367- relatedSpdxElement: SPDXRef-Package 368 relationshipType: DESCRIBES 369 spdxElementId: SPDXRef-DOCUMENT 370- relatedSpdxElement: SPDXRef-JenaLib 371 relationshipType: CONTAINS 372 spdxElementId: SPDXRef-Package 373- relatedSpdxElement: SPDXRef-Saxon 374 relationshipType: DYNAMIC_LINK 375 spdxElementId: SPDXRef-Package 376- relatedSpdxElement: NOASSERTION 377 relationshipType: GENERATED_FROM 378 spdxElementId: SPDXRef-CommonsLangSrc 379- relatedSpdxElement: SPDXRef-Package 380 relationshipType: CONTAINS 381 spdxElementId: SPDXRef-JenaLib 382- relatedSpdxElement: SPDXRef-fromDoap-0 383 relationshipType: GENERATED_FROM 384 spdxElementId: SPDXRef-File 385snippets: 386- SPDXID: SPDXRef-Snippet 387 comment: This snippet was identified as significant and highlighted in this Apache-2.0 388 file, when a commercial scanner identified it as being derived from file foo.c 389 in package xyz which is licensed under GPL-2.0. 390 copyrightText: Copyright 2008-2010 John Smith 391 licenseComments: The concluded license was taken from package xyz, from which the 392 snippet was copied into the current file. The concluded license information was 393 found in the COPYING.txt file in package xyz. 394 licenseConcluded: GPL-2.0-only 395 licenseInfoInSnippets: 396 - GPL-2.0-only 397 name: from linux kernel 398 ranges: 399 - endPointer: 400 offset: 420 401 reference: SPDXRef-DoapSource 402 startPointer: 403 offset: 310 404 reference: SPDXRef-DoapSource 405 - endPointer: 406 lineNumber: 23 407 reference: SPDXRef-DoapSource 408 startPointer: 409 lineNumber: 5 410 reference: SPDXRef-DoapSource 411 snippetFromFile: SPDXRef-DoapSource 412spdxVersion: SPDX-2.2 413