diff --git a/pom.xml b/pom.xml
index be74737..c57d7bc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -115,10 +115,20 @@
4.13.2
test
-
+
+ org.spdx
+ spdx-java-model-3_0
+ 1.0.2-SNAPSHOT
+
+
+ org.spdx
+ spdx-java-core
+ 1.0.2-SNAPSHOT
+
+
org.spdx
java-spdx-library
- 2.0.1
+ 2.0.2-SNAPSHOT
org.spdx
@@ -143,7 +153,7 @@
org.spdx
spdx-v3jsonld-store
- 1.0.1
+ 1.0.2-SNAPSHOT
com.networknt
@@ -156,6 +166,11 @@
2.0.17
true
+
+ org.apache.jena
+ jena-shacl
+ 5.6.0
+
diff --git a/resources/spdx-shacl-v3.0.1.ttl b/resources/spdx-shacl-v3.0.1.ttl
new file mode 100644
index 0000000..efd3c0a
--- /dev/null
+++ b/resources/spdx-shacl-v3.0.1.ttl
@@ -0,0 +1,3330 @@
+@prefix dcterms: .
+@prefix ns1: .
+@prefix ns2: .
+@prefix ns3: .
+@prefix ns4: .
+@prefix ns5: .
+@prefix ns6: .
+@prefix omg-ann: .
+@prefix owl: .
+@prefix rdf: .
+@prefix rdfs: .
+@prefix sh: .
+@prefix spdx: .
+@prefix xsd: .
+
+ns5:AIPackage a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Specifies an AI package and its associated information."@en ;
+ rdfs:subClassOf ns3:Package ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns5:domain ],
+ [ sh:class ns5:EnergyConsumption ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns5:energyConsumption ],
+ [ sh:class ns1:DictionaryEntry ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns5:hyperparameter ],
+ [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns5:modelExplainability ],
+ [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns5:standardCompliance ],
+ [ sh:class ns1:DictionaryEntry ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns5:metricDecisionThreshold ],
+ [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns5:typeOfModel ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns5:informationAboutApplication ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns5:informationAboutTraining ],
+ [ sh:class ns1:DictionaryEntry ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns5:metric ],
+ [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns5:modelDataPreprocessing ],
+ [ sh:class ns1:PresenceType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns5:useSensitivePersonalInformation ],
+ [ sh:class ns1:PresenceType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns5:autonomyType ],
+ [ sh:class ns5:SafetyRiskAssessmentType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns5:safetyRiskAssessment ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns5:limitation ] .
+
+ a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Class that describes a build instance of software/artifacts."@en ;
+ rdfs:subClassOf ns1:Element ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ],
+ [ sh:datatype xsd:anyURI ;
+ sh:nodeKind sh:Literal ;
+ sh:path ],
+ [ sh:datatype xsd:dateTimeStamp ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ;
+ sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ],
+ [ sh:class ns1:Hash ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ],
+ [ sh:class ns1:DictionaryEntry ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ],
+ [ sh:datatype xsd:anyURI ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ],
+ [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ],
+ [ sh:datatype xsd:dateTimeStamp ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ;
+ sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ],
+ [ sh:class ns1:DictionaryEntry ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ] .
+
+ns1:Annotation a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "An assertion made in relation to one or more elements."@en ;
+ rdfs:subClassOf ns1:Element ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ns1:Element ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns1:subject ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns1:contentType ;
+ sh:pattern "^[^\\/]+\\/[^\\/]+$" ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns1:statement ],
+ [ sh:class ns1:AnnotationType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns1:annotationType ] .
+
+ns1:LifecycleScopedRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Provide context for a relationship that occurs in the lifecycle."@en ;
+ rdfs:subClassOf ns1:Relationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ns1:LifecycleScopeType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns1:scope ] .
+
+ns1:NoAssertionElement a owl:NamedIndividual,
+ ns1:IndividualElement ;
+ rdfs:comment """An Individual Value for Element representing a set of Elements of unknown
+identify or cardinality (number)."""@en ;
+ ns1:creationInfo .
+
+ns1:NoneElement a owl:NamedIndividual,
+ ns1:IndividualElement ;
+ rdfs:comment """An Individual Value for Element representing a set of Elements with
+cardinality (number/count) of zero."""@en ;
+ ns1:creationInfo .
+
+ns1:PackageVerificationCode a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "An SPDX version 2.X compatible verification method for software packages."@en ;
+ rdfs:subClassOf ns1:IntegrityMethod ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:property [ sh:class ns1:HashAlgorithm ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns1:algorithm ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns1:hashValue ],
+ [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns1:packageVerificationCodeExcludedFile ] .
+
+ns1:Person a owl:Class ;
+ rdfs:comment "An individual human being."@en ;
+ rdfs:subClassOf ns1:Agent ;
+ sh:nodeKind sh:IRI .
+
+ns1:SoftwareAgent a owl:Class ;
+ rdfs:comment "A software agent."@en ;
+ rdfs:subClassOf ns1:Agent ;
+ sh:nodeKind sh:IRI .
+
+ns1:SpdxDocument a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "A collection of SPDX Elements that could potentially be serialized."@en ;
+ rdfs:subClassOf ns1:ElementCollection ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns1:dataLicense ],
+ [ sh:class ns1:NamespaceMap ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns1:namespaceMap ],
+ [ sh:class ns1:ExternalMap ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns1:import ] .
+
+ns4:DatasetPackage a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Specifies a data package and its associated information."@en ;
+ rdfs:subClassOf ns3:Package ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns4:knownBias ],
+ [ sh:class ns4:DatasetAvailabilityType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns4:datasetAvailability ],
+ [ sh:class ns1:PresenceType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns4:hasSensitivePersonalInformation ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns4:dataCollectionProcess ],
+ [ sh:class ns4:DatasetType ;
+ sh:in ( ) ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns4:datasetType ],
+ [ sh:class ns4:ConfidentialityLevelType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns4:confidentialityLevel ],
+ [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns4:anonymizationMethodUsed ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns4:datasetUpdateMechanism ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns4:datasetNoise ],
+ [ sh:datatype xsd:nonNegativeInteger ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns4:datasetSize ],
+ [ sh:class ns1:DictionaryEntry ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns4:sensor ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns4:intendedUse ],
+ [ sh:datatype xsd:string ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns4:dataPreprocessing ] .
+
+ns6:ConjunctiveLicenseSet a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment """Portion of an AnyLicenseInfo representing a set of licensing information
+where all elements apply."""@en ;
+ rdfs:subClassOf ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ;
+ sh:minCount 2 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns6:member ] .
+
+ns6:CustomLicense a owl:Class ;
+ rdfs:comment "A license that is not listed on the SPDX License List."@en ;
+ rdfs:subClassOf ns6:License ;
+ sh:nodeKind sh:IRI .
+
+ns6:CustomLicenseAddition a owl:Class ;
+ rdfs:comment "A license addition that is not listed on the SPDX Exceptions List."@en ;
+ rdfs:subClassOf ns6:LicenseAddition ;
+ sh:nodeKind sh:IRI .
+
+ns6:DisjunctiveLicenseSet a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment """Portion of an AnyLicenseInfo representing a set of licensing information where
+only one of the elements applies."""@en ;
+ rdfs:subClassOf ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ;
+ sh:minCount 2 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns6:member ] .
+
+ns6:ListedLicense a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "A license that is listed on the SPDX License List."@en ;
+ rdfs:subClassOf ns6:License ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns6:listVersionAdded ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns6:deprecatedVersion ] .
+
+ns6:ListedLicenseException a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "A license exception that is listed on the SPDX Exceptions list."@en ;
+ rdfs:subClassOf ns6:LicenseAddition ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns6:deprecatedVersion ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns6:listVersionAdded ] .
+
+ns6:NoAssertionLicense a owl:NamedIndividual,
+ ns6:IndividualLicensingInfo ;
+ rdfs:comment """An Individual Value for License when no assertion can be made about its actual
+value."""@en ;
+ owl:sameAs ;
+ ns1:creationInfo .
+
+ns6:NoneLicense a owl:NamedIndividual,
+ ns6:IndividualLicensingInfo ;
+ rdfs:comment """An Individual Value for License where the SPDX data creator determines that no
+license is present."""@en ;
+ owl:sameAs ;
+ ns1:creationInfo .
+
+ns6:OrLaterOperator a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment """Portion of an AnyLicenseInfo representing this version, or any later version,
+of the indicated License."""@en ;
+ rdfs:subClassOf ns6:ExtendableLicense ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ns6:License ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns6:subjectLicense ] .
+
+ns6:WithAdditionOperator a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment """Portion of an AnyLicenseInfo representing a License which has additional
+text applied to it."""@en ;
+ rdfs:subClassOf ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ns6:ExtendableLicense ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns6:subjectExtendableLicense ],
+ [ sh:class ns6:LicenseAddition ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns6:subjectAddition ] .
+
+ a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "A type of extension consisting of a list of name value pairs."@en ;
+ rdfs:subClassOf ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:property [ sh:class ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ] .
+
+ns2:CvssV2VulnAssessmentRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Provides a CVSS version 2.0 assessment for a vulnerability."@en ;
+ rdfs:subClassOf ns2:VulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:vectorString ],
+ [ sh:datatype xsd:decimal ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:score ] .
+
+ns2:CvssV3VulnAssessmentRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Provides a CVSS version 3 assessment for a vulnerability."@en ;
+ rdfs:subClassOf ns2:VulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:decimal ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:score ],
+ [ sh:class ns2:CvssSeverityType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns2:severity ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:vectorString ] .
+
+ns2:CvssV4VulnAssessmentRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Provides a CVSS version 4 assessment for a vulnerability."@en ;
+ rdfs:subClassOf ns2:VulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ns2:CvssSeverityType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns2:severity ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:vectorString ],
+ [ sh:datatype xsd:decimal ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:score ] .
+
+ns2:EpssVulnAssessmentRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Provides an EPSS assessment for a vulnerability."@en ;
+ rdfs:subClassOf ns2:VulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:decimal ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:probability ],
+ [ sh:datatype xsd:decimal ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:percentile ] .
+
+ns2:ExploitCatalogVulnAssessmentRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Provides an exploit assessment of a vulnerability."@en ;
+ rdfs:subClassOf ns2:VulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:anyURI ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:locator ],
+ [ sh:datatype xsd:boolean ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:exploited ],
+ [ sh:class ns2:ExploitCatalogType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns2:catalogType ] .
+
+ns2:SsvcVulnAssessmentRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Provides an SSVC assessment for a vulnerability."@en ;
+ rdfs:subClassOf ns2:VulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ns2:SsvcDecisionType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns2:decisionType ] .
+
+ns2:VexAffectedVulnAssessmentRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment """Connects a vulnerability and an element designating the element as a product
+affected by the vulnerability."""@en ;
+ rdfs:subClassOf ns2:VexVulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:actionStatement ],
+ [ sh:datatype xsd:dateTimeStamp ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:actionStatementTime ;
+ sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ] .
+
+ns2:VexFixedVulnAssessmentRelationship a owl:Class ;
+ rdfs:comment """Links a vulnerability and elements representing products (in the VEX sense) where
+a fix has been applied and are no longer affected."""@en ;
+ rdfs:subClassOf ns2:VexVulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI .
+
+ns2:VexNotAffectedVulnAssessmentRelationship a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment """Links a vulnerability and one or more elements designating the latter as products
+not affected by the vulnerability."""@en ;
+ rdfs:subClassOf ns2:VexVulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:dateTimeStamp ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:impactStatementTime ;
+ sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:impactStatement ],
+ [ sh:class ns2:VexJustificationType ;
+ sh:in ( ) ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns2:justificationType ] .
+
+ns2:VexUnderInvestigationVulnAssessmentRelationship a owl:Class ;
+ rdfs:comment """Designates elements as products where the impact of a vulnerability is being
+investigated."""@en ;
+ rdfs:subClassOf ns2:VexVulnAssessmentRelationship ;
+ sh:nodeKind sh:IRI .
+
+ns2:Vulnerability a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Specifies a vulnerability and its associated information."@en ;
+ rdfs:subClassOf ns1:Artifact ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:dateTimeStamp ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:withdrawnTime ;
+ sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ],
+ [ sh:datatype xsd:dateTimeStamp ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:modifiedTime ;
+ sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ],
+ [ sh:datatype xsd:dateTimeStamp ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns2:publishedTime ;
+ sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ] .
+
+ a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "An SPDX Element containing an SPDX license expression string."@en ;
+ rdfs:subClassOf ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ],
+ [ sh:class ns1:DictionaryEntry ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ],
+ [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ;
+ sh:pattern "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" ] .
+
+ a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "A license or addition that is not listed on the SPDX License List."@en ;
+ rdfs:subClassOf ns1:Element ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ] .
+
+ns3:Sbom a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "A collection of SPDX Elements describing a single package."@en ;
+ rdfs:subClassOf ns1:Bom ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ns3:SbomType ;
+ sh:in ( ) ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns3:sbomType ] .
+
+ns3:Snippet a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "Describes a certain part of a file."@en ;
+ rdfs:subClassOf ns3:SoftwareArtifact ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:class ns3:File ;
+ sh:maxCount 1 ;
+ sh:minCount 1 ;
+ sh:nodeKind sh:IRI ;
+ sh:path ns3:snippetFromFile ],
+ [ sh:class ns1:PositiveIntegerRange ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns3:lineRange ],
+ [ sh:class ns1:PositiveIntegerRange ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:BlankNodeOrIRI ;
+ sh:path ns3:byteRange ] .
+
+ a ns1:CreationInfo ;
+ rdfs:comment "This individual element was defined by the spec."@en ;
+ ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ;
+ ns1:createdBy ns1:SpdxOrganization ;
+ ns1:specVersion "3.0.1" .
+
+ a ns1:CreationInfo ;
+ rdfs:comment "This individual element was defined by the spec."@en ;
+ ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ;
+ ns1:createdBy ns1:SpdxOrganization ;
+ ns1:specVersion "3.0.1" .
+
+ a ns1:CreationInfo ;
+ rdfs:comment "This individual element was defined by the spec."@en ;
+ ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ;
+ ns1:createdBy ns1:SpdxOrganization ;
+ ns1:specVersion "3.0.1" .
+
+ a ns1:CreationInfo ;
+ rdfs:comment "This individual element was defined by the spec."@en ;
+ ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ;
+ ns1:createdBy ns1:SpdxOrganization ;
+ ns1:specVersion "3.0.1" .
+
+ a ns1:CreationInfo ;
+ rdfs:comment "This individual element was defined by the spec."@en ;
+ ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ;
+ ns1:createdBy ns1:SpdxOrganization ;
+ ns1:specVersion "3.0.1" .
+
+spdx: a owl:Ontology ;
+ rdfs:label "System Package Data Exchange (SPDX) Ontology"@en ;
+ dcterms:abstract "This ontology defines the terms and relationships used in the SPDX specification to describe system packages"@en ;
+ dcterms:created "2024-04-05"^^xsd:date ;
+ dcterms:creator "SPDX Project"@en ;
+ dcterms:license ;
+ dcterms:references ;
+ dcterms:title "System Package Data Exchange (SPDX) Ontology"@en ;
+ owl:versionIRI spdx: ;
+ omg-ann:copyright "Copyright (C) 2024 SPDX Project"@en .
+
+ a owl:NamedIndividual,
+ ns5:EnergyUnitType ;
+ rdfs:label "kilowattHour" ;
+ rdfs:comment "Kilowatt-hour."@en .
+
+ a owl:NamedIndividual,
+ ns5:EnergyUnitType ;
+ rdfs:label "megajoule" ;
+ rdfs:comment "Megajoule."@en .
+
+ a owl:NamedIndividual,
+ ns5:EnergyUnitType ;
+ rdfs:label "other" ;
+ rdfs:comment "Any other units of energy measurement."@en .
+
+ a owl:NamedIndividual,
+ ns5:SafetyRiskAssessmentType ;
+ rdfs:label "high" ;
+ rdfs:comment "The second-highest level of risk posed by an AI system."@en .
+
+ a owl:NamedIndividual,
+ ns5:SafetyRiskAssessmentType ;
+ rdfs:label "low" ;
+ rdfs:comment "Low/no risk is posed by an AI system."@en .
+
+ a owl:NamedIndividual,
+ ns5:SafetyRiskAssessmentType ;
+ rdfs:label "medium" ;
+ rdfs:comment "The third-highest level of risk posed by an AI system."@en .
+
+ a owl:NamedIndividual,
+ ns5:SafetyRiskAssessmentType ;
+ rdfs:label "serious" ;
+ rdfs:comment "The highest level of risk posed by an AI system."@en .
+
+ns5:autonomyType a owl:ObjectProperty ;
+ rdfs:comment """Indicates whether the system can perform a decision or action without human
+involvement or guidance."""@en ;
+ rdfs:range ns1:PresenceType .
+
+ns5:domain a owl:DatatypeProperty ;
+ rdfs:comment "Captures the domain in which the AI package can be used."@en ;
+ rdfs:range xsd:string .
+
+ns5:energyConsumption a owl:ObjectProperty ;
+ rdfs:comment "Indicates the amount of energy consumption incurred by an AI model."@en ;
+ rdfs:range ns5:EnergyConsumption .
+
+ns5:energyQuantity a owl:DatatypeProperty ;
+ rdfs:comment "Represents the energy quantity."@en ;
+ rdfs:range xsd:decimal .
+
+ns5:energyUnit a owl:ObjectProperty ;
+ rdfs:comment "Specifies the unit in which energy is measured."@en ;
+ rdfs:range ns5:EnergyUnitType .
+
+ns5:finetuningEnergyConsumption a owl:ObjectProperty ;
+ rdfs:comment """Specifies the amount of energy consumed when finetuning the AI model that is
+being used in the AI system."""@en ;
+ rdfs:range ns5:EnergyConsumptionDescription .
+
+ns5:hyperparameter a owl:ObjectProperty ;
+ rdfs:comment """Records a hyperparameter used to build the AI model contained in the AI
+package."""@en ;
+ rdfs:range ns1:DictionaryEntry .
+
+ns5:inferenceEnergyConsumption a owl:ObjectProperty ;
+ rdfs:comment """Specifies the amount of energy consumed during inference time by an AI model
+that is being used in the AI system."""@en ;
+ rdfs:range ns5:EnergyConsumptionDescription .
+
+ns5:informationAboutApplication a owl:DatatypeProperty ;
+ rdfs:comment """Provides relevant information about the AI software, not including the model
+description."""@en ;
+ rdfs:range xsd:string .
+
+ns5:informationAboutTraining a owl:DatatypeProperty ;
+ rdfs:comment "Describes relevant information about different steps of the training process."@en ;
+ rdfs:range xsd:string .
+
+ns5:limitation a owl:DatatypeProperty ;
+ rdfs:comment "Captures a limitation of the AI software."@en ;
+ rdfs:range xsd:string .
+
+ns5:metric a owl:ObjectProperty ;
+ rdfs:comment "Records the measurement of prediction quality of the AI model."@en ;
+ rdfs:range ns1:DictionaryEntry .
+
+ns5:metricDecisionThreshold a owl:ObjectProperty ;
+ rdfs:comment """Captures the threshold that was used for computation of a metric described in
+the metric field."""@en ;
+ rdfs:range ns1:DictionaryEntry .
+
+ns5:modelDataPreprocessing a owl:DatatypeProperty ;
+ rdfs:comment """Describes all the preprocessing steps applied to the training data before the
+model training."""@en ;
+ rdfs:range xsd:string .
+
+ns5:modelExplainability a owl:DatatypeProperty ;
+ rdfs:comment "Describes methods that can be used to explain the results from the AI model."@en ;
+ rdfs:range xsd:string .
+
+ns5:safetyRiskAssessment a owl:ObjectProperty ;
+ rdfs:comment "Records the results of general safety risk assessment of the AI system."@en ;
+ rdfs:range ns5:SafetyRiskAssessmentType .
+
+ns5:standardCompliance a owl:DatatypeProperty ;
+ rdfs:comment "Captures a standard that is being complied with."@en ;
+ rdfs:range xsd:string .
+
+ns5:trainingEnergyConsumption a owl:ObjectProperty ;
+ rdfs:comment """Specifies the amount of energy consumed when training the AI model that is
+being used in the AI system."""@en ;
+ rdfs:range ns5:EnergyConsumptionDescription .
+
+ns5:typeOfModel a owl:DatatypeProperty ;
+ rdfs:comment "Records the type of the model used in the AI software."@en ;
+ rdfs:range xsd:string .
+
+ns5:useSensitivePersonalInformation a owl:ObjectProperty ;
+ rdfs:comment """Records if sensitive personal information is used during model training or
+could be used during the inference."""@en ;
+ rdfs:range ns1:PresenceType .
+
+ a owl:DatatypeProperty ;
+ rdfs:comment "Property that describes the time at which a build stops."@en ;
+ rdfs:range xsd:dateTimeStamp .
+
+ a owl:DatatypeProperty ;
+ rdfs:comment """A buildId is a locally unique identifier used by a builder to identify a unique
+instance of a build produced by it."""@en ;
+ rdfs:range xsd:string .
+
+ a owl:DatatypeProperty ;
+ rdfs:comment "Property describing the start time of a build."@en ;
+ rdfs:range xsd:dateTimeStamp .
+
+ a owl:DatatypeProperty ;
+ rdfs:comment """A buildType is a hint that is used to indicate the toolchain, platform, or
+infrastructure that the build was invoked on."""@en ;
+ rdfs:range xsd:anyURI .
+
+ a owl:ObjectProperty ;
+ rdfs:comment """Property that describes the digest of the build configuration file used to
+invoke a build."""@en ;
+ rdfs:range ns1:Hash .
+
+ a owl:DatatypeProperty ;
+ rdfs:comment "Property describes the invocation entrypoint of a build."@en ;
+ rdfs:range xsd:string .
+
+ a owl:DatatypeProperty ;
+ rdfs:comment "Property that describes the URI of the build configuration source file."@en ;
+ rdfs:range xsd:anyURI .
+
+ a owl:ObjectProperty ;
+ rdfs:comment "Property describing the session in which a build is invoked."@en ;
+ rdfs:range ns1:DictionaryEntry .
+
+ a owl:ObjectProperty ;
+ rdfs:comment "Property describing a parameter used in an instance of a build."@en ;
+ rdfs:range ns1:DictionaryEntry .
+
+ a owl:NamedIndividual,
+ ns1:AnnotationType ;
+ rdfs:label "other" ;
+ rdfs:comment "Used to store extra information about an Element which is not part of a review (e.g. extra information provided during the creation of the Element)."@en .
+
+ a owl:NamedIndividual,
+ ns1:AnnotationType ;
+ rdfs:label "review" ;
+ rdfs:comment "Used when someone reviews the Element."@en .
+
+ns1:Bom a owl:Class ;
+ rdfs:comment """A container for a grouping of SPDX-3.0 content characterizing details
+(provenence, composition, licensing, etc.) about a product."""@en ;
+ rdfs:subClassOf ns1:Bundle ;
+ sh:nodeKind sh:IRI .
+
+ns1:Bundle a owl:Class,
+ sh:NodeShape ;
+ rdfs:comment "A collection of Elements that have a shared context."@en ;
+ rdfs:subClassOf ns1:ElementCollection ;
+ sh:nodeKind sh:IRI ;
+ sh:property [ sh:datatype xsd:string ;
+ sh:maxCount 1 ;
+ sh:nodeKind sh:Literal ;
+ sh:path ns1:context ] .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "cpe22" ;
+ rdfs:comment "[Common Platform Enumeration Specification 2.2](https://cpe.mitre.org/files/cpe-specification_2.2.pdf)"@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "cpe23" ;
+ rdfs:comment "[Common Platform Enumeration: Naming Specification Version 2.3](https://csrc.nist.gov/publications/detail/nistir/7695/final)"@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "cve" ;
+ rdfs:comment "Common Vulnerabilities and Exposures identifiers, an identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the [CVE specification](https://csrc.nist.gov/glossary/term/cve_id)."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "email" ;
+ rdfs:comment "Email address, as defined in [RFC 3696](https://datatracker.ietf.org/doc/rfc3986/) Section 3."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "gitoid" ;
+ rdfs:comment "[Gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid), stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects). A gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent either an [Artifact Identifier](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-identifier-types) for the software artifact or an [Input Manifest Identifier](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#input-manifest-identifier) for the software artifact's associated [Artifact Input Manifest](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-input-manifest); this ambiguity exists because the Artifact Input Manifest is itself an artifact, and the gitoid of that artifact is its valid identifier. Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's contentIdentifier property. Gitoids calculated on the Artifact Input Manifest (Input Manifest Identifier) should be recorded in the SPDX 3.0 Element's externalIdentifier property. See [OmniBOR Specification](https://github.com/omnibor/spec/), a minimalistic specification for describing software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-dependency-graph-adg)."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "other" ;
+ rdfs:comment "Used when the type does not match any of the other options."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "packageUrl" ;
+ rdfs:comment "Package URL, as defined in the corresponding [Annex](../../../annexes/pkg-url-specification.md) of this specification."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "securityOther" ;
+ rdfs:comment "Used when there is a security related identifier of unspecified type."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "swhid" ;
+ rdfs:comment "SoftWare Hash IDentifier, a persistent intrinsic identifier for digital artifacts, such as files, trees (also known as directories or folders), commits, and other objects typically found in version control systems. The format of the identifiers is defined in the [SWHID specification](https://www.swhid.org/specification/v1.1/4.Syntax) (ISO/IEC DIS 18670). They typically look like `swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2`."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "swid" ;
+ rdfs:comment "Concise Software Identification (CoSWID) tag, as defined in [RFC 9393](https://datatracker.ietf.org/doc/rfc9393/) Section 2.3."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalIdentifierType ;
+ rdfs:label "urlScheme" ;
+ rdfs:comment "[Uniform Resource Identifier (URI) Schemes](https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml). The scheme used in order to locate a resource."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "altDownloadLocation" ;
+ rdfs:comment "A reference to an alternative download location."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "altWebPage" ;
+ rdfs:comment "A reference to an alternative web page."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "binaryArtifact" ;
+ rdfs:comment "A reference to binary artifacts related to a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "bower" ;
+ rdfs:comment "A reference to a Bower package. The package locator format, looks like `package#version`, is defined in the \"install\" section of [Bower API documentation](https://bower.io/docs/api/#install)."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "buildMeta" ;
+ rdfs:comment "A reference build metadata related to a published package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "buildSystem" ;
+ rdfs:comment "A reference build system used to create or publish the package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "certificationReport" ;
+ rdfs:comment "A reference to a certification report for a package from an accredited/independent body."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "chat" ;
+ rdfs:comment "A reference to the instant messaging system used by the maintainer for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "componentAnalysisReport" ;
+ rdfs:comment "A reference to a Software Composition Analysis (SCA) report."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "cwe" ;
+ rdfs:comment "[Common Weakness Enumeration](https://csrc.nist.gov/glossary/term/common_weakness_enumeration). A reference to a source of software flaw defined within the official [CWE List](https://cwe.mitre.org/data/) that conforms to the [CWE specification](https://cwe.mitre.org/)."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "documentation" ;
+ rdfs:comment "A reference to the documentation for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "dynamicAnalysisReport" ;
+ rdfs:comment "A reference to a dynamic analysis report for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "eolNotice" ;
+ rdfs:comment "A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "exportControlAssessment" ;
+ rdfs:comment "A reference to a export control assessment for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "funding" ;
+ rdfs:comment "A reference to funding information related to a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "issueTracker" ;
+ rdfs:comment "A reference to the issue tracker for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "license" ;
+ rdfs:comment "A reference to additional license information related to an artifact."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "mailingList" ;
+ rdfs:comment "A reference to the mailing list used by the maintainer for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "mavenCentral" ;
+ rdfs:comment "A reference to a Maven repository artifact. The artifact locator format is defined in the [Maven documentation](https://maven.apache.org/guides/mini/guide-naming-conventions.html) and looks like `groupId:artifactId[:version]`."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "metrics" ;
+ rdfs:comment "A reference to metrics related to package such as OpenSSF scorecards."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "npm" ;
+ rdfs:comment "A reference to an npm package. The package locator format is defined in the [npm documentation](https://docs.npmjs.com/cli/v10/configuring-npm/package-json) and looks like `package@version`."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "nuget" ;
+ rdfs:comment "A reference to a NuGet package. The package locator format is defined in the [NuGet documentation](https://docs.nuget.org) and looks like `package/version`."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "other" ;
+ rdfs:comment "Used when the type does not match any of the other options."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "privacyAssessment" ;
+ rdfs:comment "A reference to a privacy assessment for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "productMetadata" ;
+ rdfs:comment "A reference to additional product metadata such as reference within organization's product catalog."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "purchaseOrder" ;
+ rdfs:comment "A reference to a purchase order for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "qualityAssessmentReport" ;
+ rdfs:comment "A reference to a quality assessment for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "releaseHistory" ;
+ rdfs:comment "A reference to a published list of releases for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "releaseNotes" ;
+ rdfs:comment "A reference to the release notes for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "riskAssessment" ;
+ rdfs:comment "A reference to a risk assessment for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "runtimeAnalysisReport" ;
+ rdfs:comment "A reference to a runtime analysis report for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "secureSoftwareAttestation" ;
+ rdfs:comment "A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF) Version 1.1](https://csrc.nist.gov/pubs/sp/800/218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form)."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "securityAdversaryModel" ;
+ rdfs:comment "A reference to the security adversary model for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "securityAdvisory" ;
+ rdfs:comment "A reference to a published security advisory (where advisory as defined per [ISO 29147:2018](https://www.iso.org/standard/72311.html)) that may affect one or more elements, e.g., vendor advisories or specific NVD entries."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "securityFix" ;
+ rdfs:comment "A reference to the patch or source code that fixes a vulnerability."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "securityOther" ;
+ rdfs:comment "A reference to related security information of unspecified type."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "securityPenTestReport" ;
+ rdfs:comment "A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "securityPolicy" ;
+ rdfs:comment "A reference to instructions for reporting newly discovered security vulnerabilities for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "securityThreatModel" ;
+ rdfs:comment "A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "socialMedia" ;
+ rdfs:comment "A reference to a social media channel for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "sourceArtifact" ;
+ rdfs:comment "A reference to an artifact containing the sources for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "staticAnalysisReport" ;
+ rdfs:comment "A reference to a static analysis report for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "support" ;
+ rdfs:comment "A reference to the software support channel or other support information for a package."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "vcs" ;
+ rdfs:comment "A reference to a version control system related to a software artifact."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "vulnerabilityDisclosureReport" ;
+ rdfs:comment "A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations](https://csrc.nist.gov/pubs/sp/800/161/r1/final)."@en .
+
+ a owl:NamedIndividual,
+ ns1:ExternalRefType ;
+ rdfs:label "vulnerabilityExploitabilityAssessment" ;
+ rdfs:comment "A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page summary](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)."@en .
+
+ a owl:NamedIndividual,
+ ns1:LifecycleScopeType ;
+ rdfs:label "build" ;
+ rdfs:comment "A relationship has specific context implications during an element's build phase, during development."@en .
+
+ a owl:NamedIndividual,
+ ns1:LifecycleScopeType ;
+ rdfs:label "design" ;
+ rdfs:comment "A relationship has specific context implications during an element's design."@en .
+
+ a owl:NamedIndividual,
+ ns1:LifecycleScopeType ;
+ rdfs:label "development" ;
+ rdfs:comment "A relationship has specific context implications during development phase of an element."@en .
+
+ a owl:NamedIndividual,
+ ns1:LifecycleScopeType ;
+ rdfs:label "other" ;
+ rdfs:comment "A relationship has other specific context information necessary to capture that the above set of enumerations does not handle."@en .
+
+ a owl:NamedIndividual,
+ ns1:LifecycleScopeType ;
+ rdfs:label "runtime" ;
+ rdfs:comment "A relationship has specific context implications during the execution phase of an element."@en .
+
+ a owl:NamedIndividual,
+ ns1:LifecycleScopeType ;
+ rdfs:label "test" ;
+ rdfs:comment "A relationship has specific context implications during an element's testing phase, during development."@en .
+
+ns1:Organization a owl:Class ;
+ rdfs:comment "A group of people who work together in an organized way for a shared purpose."@en ;
+ rdfs:subClassOf ns1:Agent ;
+ sh:nodeKind sh:IRI .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "ai" ;
+ rdfs:comment "the element follows the AI profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "build" ;
+ rdfs:comment "the element follows the Build profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "core" ;
+ rdfs:comment "the element follows the Core profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "dataset" ;
+ rdfs:comment "the element follows the Dataset profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "expandedLicensing" ;
+ rdfs:comment "the element follows the ExpandedLicensing profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "extension" ;
+ rdfs:comment "the element follows the Extension profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "lite" ;
+ rdfs:comment "the element follows the Lite profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "security" ;
+ rdfs:comment "the element follows the Security profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "simpleLicensing" ;
+ rdfs:comment "the element follows the SimpleLicensing profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:ProfileIdentifierType ;
+ rdfs:label "software" ;
+ rdfs:comment "the element follows the Software profile specification"@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipCompleteness ;
+ rdfs:label "complete" ;
+ rdfs:comment "The relationship is known to be exhaustive."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipCompleteness ;
+ rdfs:label "incomplete" ;
+ rdfs:comment "The relationship is known not to be exhaustive."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipCompleteness ;
+ rdfs:label "noAssertion" ;
+ rdfs:comment "No assertion can be made about the completeness of the relationship."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "affects" ;
+ rdfs:comment "The `from` Vulnerability affects each `to` Element. The use of the `affects` type is constrained to `VexAffectedVulnAssessmentRelationship` classed relationships."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "amendedBy" ;
+ rdfs:comment "The `from` Element is amended by each `to` Element."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "ancestorOf" ;
+ rdfs:comment "The `from` Element is an ancestor of each `to` Element."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "availableFrom" ;
+ rdfs:comment "The `from` Element is available from the additional supplier described by each `to` Element."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "configures" ;
+ rdfs:comment "The `from` Element is a configuration applied to each `to` Element, during a LifecycleScopeType period."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "contains" ;
+ rdfs:comment "The `from` Element contains each `to` Element."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "coordinatedBy" ;
+ rdfs:comment "The `from` Vulnerability is coordinatedBy the `to` Agent(s) (vendor, researcher, or consumer agent)."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "copiedTo" ;
+ rdfs:comment "The `from` Element has been copied to each `to` Element."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "delegatedTo" ;
+ rdfs:comment "The `from` Agent is delegating an action to the Agent of the `to` Relationship (which must be of type invokedBy), during a LifecycleScopeType (e.g. the `to` invokedBy Relationship is being done on behalf of `from`)."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "dependsOn" ;
+ rdfs:comment "The `from` Element depends on each `to` Element, during a LifecycleScopeType period."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "descendantOf" ;
+ rdfs:comment "The `from` Element is a descendant of each `to` Element."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "describes" ;
+ rdfs:comment "The `from` Element describes each `to` Element. To denote the root(s) of a tree of elements in a collection, the rootElement property should be used."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "doesNotAffect" ;
+ rdfs:comment "The `from` Vulnerability has no impact on each `to` Element. The use of the `doesNotAffect` is constrained to `VexNotAffectedVulnAssessmentRelationship` classed relationships."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "expandsTo" ;
+ rdfs:comment "The `from` archive expands out as an artifact described by each `to` Element."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "exploitCreatedBy" ;
+ rdfs:comment "The `from` Vulnerability has had an exploit created against it by each `to` Agent."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "fixedBy" ;
+ rdfs:comment "Designates a `from` Vulnerability has been fixed by the `to` Agent(s)."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "fixedIn" ;
+ rdfs:comment "A `from` Vulnerability has been fixed in each `to` Element. The use of the `fixedIn` type is constrained to `VexFixedVulnAssessmentRelationship` classed relationships."@en .
+
+ a owl:NamedIndividual,
+ ns1:RelationshipType ;
+ rdfs:label "foundBy" ;
+ rdfs:comment "Designates a `from` Vulnerability was originally discovered by the `to` Agent(s)."@en .
+
+