1// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 2 3package v2_3 4 5import "github.com/spdx/tools-golang/spdx/common" 6 7// Package is a Package section of an SPDX Document for version 2.3 of the spec. 8type Package struct { 9 // NOT PART OF SPEC 10 // flag: does this "package" contain files that were in fact "unpackaged", 11 // e.g. included directly in the Document without being in a Package? 12 IsUnpackaged bool `json:"-" yaml:"-"` 13 14 // 7.1: Package Name 15 // Cardinality: mandatory, one 16 PackageName string `json:"name"` 17 18 // 7.2: Package SPDX Identifier: "SPDXRef-[idstring]" 19 // Cardinality: mandatory, one 20 PackageSPDXIdentifier common.ElementID `json:"SPDXID"` 21 22 // 7.3: Package Version 23 // Cardinality: optional, one 24 PackageVersion string `json:"versionInfo,omitempty"` 25 26 // 7.4: Package File Name 27 // Cardinality: optional, one 28 PackageFileName string `json:"packageFileName,omitempty"` 29 30 // 7.5: Package Supplier: may have single result for either Person or Organization, 31 // or NOASSERTION 32 // Cardinality: optional, one 33 PackageSupplier *common.Supplier `json:"supplier,omitempty"` 34 35 // 7.6: Package Originator: may have single result for either Person or Organization, 36 // or NOASSERTION 37 // Cardinality: optional, one 38 PackageOriginator *common.Originator `json:"originator,omitempty"` 39 40 // 7.7: Package Download Location 41 // Cardinality: mandatory, one 42 PackageDownloadLocation string `json:"downloadLocation"` 43 44 // 7.8: FilesAnalyzed 45 // Cardinality: optional, one; default value is "true" if omitted 46 FilesAnalyzed bool `json:"filesAnalyzed,omitempty"` 47 // NOT PART OF SPEC: did FilesAnalyzed tag appear? 48 IsFilesAnalyzedTagPresent bool `json:"-" yaml:"-"` 49 50 // 7.9: Package Verification Code 51 // Cardinality: if FilesAnalyzed == true must be present, if FilesAnalyzed == false must be omitted 52 PackageVerificationCode *common.PackageVerificationCode `json:"packageVerificationCode,omitempty"` 53 54 // 7.10: Package Checksum: may have keys for SHA1, SHA256, SHA512, MD5, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 55 // Cardinality: optional, one or many 56 PackageChecksums []common.Checksum `json:"checksums,omitempty"` 57 58 // 7.11: Package Home Page 59 // Cardinality: optional, one 60 PackageHomePage string `json:"homepage,omitempty"` 61 62 // 7.12: Source Information 63 // Cardinality: optional, one 64 PackageSourceInfo string `json:"sourceInfo,omitempty"` 65 66 // 7.13: Concluded License: SPDX License Expression, "NONE" or "NOASSERTION" 67 // Cardinality: optional, one 68 PackageLicenseConcluded string `json:"licenseConcluded,omitempty"` 69 70 // 7.14: All Licenses Info from Files: SPDX License Expression, "NONE" or "NOASSERTION" 71 // Cardinality: optional, one or many if filesAnalyzed is true / omitted; 72 // zero (must be omitted) if filesAnalyzed is false 73 PackageLicenseInfoFromFiles []string `json:"licenseInfoFromFiles,omitempty"` 74 75 // 7.15: Declared License: SPDX License Expression, "NONE" or "NOASSERTION" 76 // Cardinality: optional, one 77 PackageLicenseDeclared string `json:"licenseDeclared,omitempty"` 78 79 // 7.16: Comments on License 80 // Cardinality: optional, one 81 PackageLicenseComments string `json:"licenseComments,omitempty"` 82 83 // 7.17: Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION" 84 // Cardinality: mandatory, one 85 PackageCopyrightText string `json:"copyrightText"` 86 87 // 7.18: Package Summary Description 88 // Cardinality: optional, one 89 PackageSummary string `json:"summary,omitempty"` 90 91 // 7.19: Package Detailed Description 92 // Cardinality: optional, one 93 PackageDescription string `json:"description,omitempty"` 94 95 // 7.20: Package Comment 96 // Cardinality: optional, one 97 PackageComment string `json:"comment,omitempty"` 98 99 // 7.21: Package External Reference 100 // Cardinality: optional, one or many 101 PackageExternalReferences []*PackageExternalReference `json:"externalRefs,omitempty"` 102 103 // 7.22: Package External Reference Comment 104 // Cardinality: conditional (optional, one) for each External Reference 105 // contained within PackageExternalReference2_1 struct, if present 106 107 // 7.23: Package Attribution Text 108 // Cardinality: optional, one or many 109 PackageAttributionTexts []string `json:"attributionTexts,omitempty"` 110 111 // 7.24: Primary Package Purpose 112 // Cardinality: optional, one or many 113 // Allowed values: APPLICATION, FRAMEWORK, LIBRARY, CONTAINER, OPERATING-SYSTEM, DEVICE, FIRMWARE, SOURCE, ARCHIVE, FILE, INSTALL, OTHER 114 PrimaryPackagePurpose string `json:"primaryPackagePurpose,omitempty"` 115 116 // 7.25: Release Date: YYYY-MM-DDThh:mm:ssZ 117 // Cardinality: optional, one 118 ReleaseDate string `json:"releaseDate,omitempty"` 119 120 // 7.26: Build Date: YYYY-MM-DDThh:mm:ssZ 121 // Cardinality: optional, one 122 BuiltDate string `json:"builtDate,omitempty"` 123 124 // 7.27: Valid Until Date: YYYY-MM-DDThh:mm:ssZ 125 // Cardinality: optional, one 126 ValidUntilDate string `json:"validUntilDate,omitempty"` 127 128 // Files contained in this Package 129 Files []*File `json:"files,omitempty"` 130 131 Annotations []Annotation `json:"annotations,omitempty"` 132} 133 134// PackageExternalReference is an External Reference to additional info 135// about a Package, as defined in section 7.21 in version 2.3 of the spec. 136type PackageExternalReference struct { 137 // category is "SECURITY", "PACKAGE-MANAGER" or "OTHER" 138 Category string `json:"referenceCategory"` 139 140 // type is an [idstring] as defined in Appendix VI; 141 // called RefType here due to "type" being a Golang keyword 142 RefType string `json:"referenceType"` 143 144 // locator is a unique string to access the package-specific 145 // info, metadata or content within the target location 146 Locator string `json:"referenceLocator"` 147 148 // 7.22: Package External Reference Comment 149 // Cardinality: conditional (optional, one) for each External Reference 150 ExternalRefComment string `json:"comment,omitempty"` 151} 152