ISO/IEC 5962:2021 pdf download – Information technology — SPDX ® Specification V2.2.1.
4.4 Standard data format requirements The data format specification and recommendations are subject to the following constraints: — Shall be in a human readable form. — Shall be in a syntax that a software tool can read and write. — Shall be suitable to be checked for syntactic correctness automatically, independent of how it was generated (human or tool). — The SPDX document character set shall support UTF-8 encoding. — Multiple serialization formats may be used to represent the information being exchanged. Current supported formats include: — YAML 1.2 see: https://yaml.org/spec/1.2/spec.html — JavaScript Object Notation (JSON) see: ECMA-404 — The JSON Schema for SPDX can be found in the SPDX Spec Git Repository Schema directory — Resource Description Framework (RDF also referred to as RDF/XML) see: https://www.w3.org/TR/rdf-syntax-grammar/ — tag:value flat text file as described in this specification — .xls spreadsheets — In addition to the supported formats, the following format is in development with a plan to complete the specification in the next release: — Extensible Markup Language (XML) see: https://www.w3.org/TR/2008/REC-xml- 20081126/ — Interoperability between all the supported file formats shall be preserved. SPDX defines how to validate a document in each supported format, and how to translate a valid document without loss to each other supported format.
4.5 Trademark Compliance To be designated an SPDX document, a file shall comply with the requirements of the SPDX Trademark License (See the SPDX Trademark Page). The official copyright notice that shall be used with any verbatim reproduction and/or distribution of this SPDX Specification 2.2.1 is: “Official SPDX® Specification 2.2.1 Copyright © 2010-2020 Linux Foundation and its Contributors. Licensed under the Creative Commons Attribution License 3.0 Unported. All other rights are expressly reserved.” The official copyright notice that shall be used with any non-verbatim reproduction and/or distribution of this SPDX Specification 2.2.1, including without limitation any partial use or combining this SPDX Specification with another work, is: “This is not an official SPDX Specification. Portions herein have been reproduced from SPDX® Specification 2.2.1 found at spdx.dev. These portions are Copyright © 2010-2020 Linux Foundation and its Contributors, and are licensed under the Creative Commons Attribution License 3.0 Unported by the Linux Foundation and its Contributors. All other rights are expressly reserved by Linux Foundation and its Contributors.” 4.6 The SPDX Lite profile Rather than conforming to this whole specification, an implementation may conform with SPDX Lite only, a profile that defines a subset of the SPDX specification. SPDX Lite aims at the balance between the SPDX standard and actual workflows in some industries. See Annex G for more information.
5.2 Sections 5.2.1 SPDX document creation information section An instance of this section provides the necessary information for forward and backward compatibility for processing tools. One instance shall be present for each SPDX document produced. Cardinality: Mandatory, one. See Clause 6 for details of the fields in this kind of section. 5.2.2 Package information section If SPDX information is being used to describe packages, then one instance of the Package Information per package being described shall exist. It provides important meta information about the package as a whole. Packages are an abstract concept that can be used to refer to any distribution of software, typically consisting of one or more files and capable of containing sub-packages. Starting with SPDX 2.0, it is not necessary to have a package wrapping a set of files. A Package refers to any unit of content that can be associated with a distribution of software. Typically, a Package is composed of one or more files. An SPDX document may, but is not required to, provide details about the individual files comprising a Package (see Clause 8). Any of the following non-limiting examples may be (but are not required to be) represented in SPDX as a Package: — a tarball, zip file or other archive — a directory or sub-directory — a separately distributed piece of software which another Package or File uses or depends upon (e.g., a Python package, a Go module, …) — a container image, and/or each image layer within a container image