From 5b9823714c02d6260a8ee24f8d5fc856cb06296a Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Thu, 6 Nov 2025 17:35:25 -0800 Subject: [PATCH] Add SHACL validation - draft Added Jena SHACL validation. This currently isn't working - the SHACL parsing isn't finding any target nodes Signed-off-by: Gary O'Neall --- pom.xml | 21 +- resources/spdx-shacl-v3.0.1.ttl | 3330 ++++++++++++++++++++++ src/main/java/org/spdx/tools/Verify.java | 22 + 3 files changed, 3370 insertions(+), 3 deletions(-) create mode 100644 resources/spdx-shacl-v3.0.1.ttl diff --git a/pom.xml b/pom.xml index be74737..c57d7bc 100644 --- a/pom.xml +++ b/pom.xml @@ -115,10 +115,20 @@ 4.13.2 test - + + org.spdx + spdx-java-model-3_0 + 1.0.2-SNAPSHOT + + + org.spdx + spdx-java-core + 1.0.2-SNAPSHOT + + org.spdx java-spdx-library - 2.0.1 + 2.0.2-SNAPSHOT org.spdx @@ -143,7 +153,7 @@ org.spdx spdx-v3jsonld-store - 1.0.1 + 1.0.2-SNAPSHOT com.networknt @@ -156,6 +166,11 @@ 2.0.17 true + + org.apache.jena + jena-shacl + 5.6.0 + diff --git a/resources/spdx-shacl-v3.0.1.ttl b/resources/spdx-shacl-v3.0.1.ttl new file mode 100644 index 0000000..efd3c0a --- /dev/null +++ b/resources/spdx-shacl-v3.0.1.ttl @@ -0,0 +1,3330 @@ +@prefix dcterms: . +@prefix ns1: . +@prefix ns2: . +@prefix ns3: . +@prefix ns4: . +@prefix ns5: . +@prefix ns6: . +@prefix omg-ann: . +@prefix owl: . +@prefix rdf: . +@prefix rdfs: . +@prefix sh: . +@prefix spdx: . +@prefix xsd: . + +ns5:AIPackage a owl:Class, + sh:NodeShape ; + rdfs:comment "Specifies an AI package and its associated information."@en ; + rdfs:subClassOf ns3:Package ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns5:domain ], + [ sh:class ns5:EnergyConsumption ; + sh:maxCount 1 ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns5:energyConsumption ], + [ sh:class ns1:DictionaryEntry ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns5:hyperparameter ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns5:modelExplainability ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns5:standardCompliance ], + [ sh:class ns1:DictionaryEntry ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns5:metricDecisionThreshold ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns5:typeOfModel ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns5:informationAboutApplication ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns5:informationAboutTraining ], + [ sh:class ns1:DictionaryEntry ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns5:metric ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns5:modelDataPreprocessing ], + [ sh:class ns1:PresenceType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns5:useSensitivePersonalInformation ], + [ sh:class ns1:PresenceType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns5:autonomyType ], + [ sh:class ns5:SafetyRiskAssessmentType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns5:safetyRiskAssessment ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns5:limitation ] . + + a owl:Class, + sh:NodeShape ; + rdfs:comment "Class that describes a build instance of software/artifacts."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ], + [ sh:datatype xsd:anyURI ; + sh:nodeKind sh:Literal ; + sh:path ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:class ns1:Hash ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ], + [ sh:class ns1:DictionaryEntry ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ], + [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:class ns1:DictionaryEntry ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ] . + +ns1:Annotation a owl:Class, + sh:NodeShape ; + rdfs:comment "An assertion made in relation to one or more elements."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns1:Element ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:subject ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:contentType ; + sh:pattern "^[^\\/]+\\/[^\\/]+$" ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:statement ], + [ sh:class ns1:AnnotationType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:annotationType ] . + +ns1:LifecycleScopedRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Provide context for a relationship that occurs in the lifecycle."@en ; + rdfs:subClassOf ns1:Relationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns1:LifecycleScopeType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:scope ] . + +ns1:NoAssertionElement a owl:NamedIndividual, + ns1:IndividualElement ; + rdfs:comment """An Individual Value for Element representing a set of Elements of unknown +identify or cardinality (number)."""@en ; + ns1:creationInfo . + +ns1:NoneElement a owl:NamedIndividual, + ns1:IndividualElement ; + rdfs:comment """An Individual Value for Element representing a set of Elements with +cardinality (number/count) of zero."""@en ; + ns1:creationInfo . + +ns1:PackageVerificationCode a owl:Class, + sh:NodeShape ; + rdfs:comment "An SPDX version 2.X compatible verification method for software packages."@en ; + rdfs:subClassOf ns1:IntegrityMethod ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:class ns1:HashAlgorithm ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:algorithm ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:hashValue ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns1:packageVerificationCodeExcludedFile ] . + +ns1:Person a owl:Class ; + rdfs:comment "An individual human being."@en ; + rdfs:subClassOf ns1:Agent ; + sh:nodeKind sh:IRI . + +ns1:SoftwareAgent a owl:Class ; + rdfs:comment "A software agent."@en ; + rdfs:subClassOf ns1:Agent ; + sh:nodeKind sh:IRI . + +ns1:SpdxDocument a owl:Class, + sh:NodeShape ; + rdfs:comment "A collection of SPDX Elements that could potentially be serialized."@en ; + rdfs:subClassOf ns1:ElementCollection ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:dataLicense ], + [ sh:class ns1:NamespaceMap ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns1:namespaceMap ], + [ sh:class ns1:ExternalMap ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns1:import ] . + +ns4:DatasetPackage a owl:Class, + sh:NodeShape ; + rdfs:comment "Specifies a data package and its associated information."@en ; + rdfs:subClassOf ns3:Package ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns4:knownBias ], + [ sh:class ns4:DatasetAvailabilityType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns4:datasetAvailability ], + [ sh:class ns1:PresenceType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns4:hasSensitivePersonalInformation ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns4:dataCollectionProcess ], + [ sh:class ns4:DatasetType ; + sh:in ( ) ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns4:datasetType ], + [ sh:class ns4:ConfidentialityLevelType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns4:confidentialityLevel ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns4:anonymizationMethodUsed ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns4:datasetUpdateMechanism ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns4:datasetNoise ], + [ sh:datatype xsd:nonNegativeInteger ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns4:datasetSize ], + [ sh:class ns1:DictionaryEntry ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns4:sensor ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns4:intendedUse ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns4:dataPreprocessing ] . + +ns6:ConjunctiveLicenseSet a owl:Class, + sh:NodeShape ; + rdfs:comment """Portion of an AnyLicenseInfo representing a set of licensing information +where all elements apply."""@en ; + rdfs:subClassOf ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ; + sh:minCount 2 ; + sh:nodeKind sh:IRI ; + sh:path ns6:member ] . + +ns6:CustomLicense a owl:Class ; + rdfs:comment "A license that is not listed on the SPDX License List."@en ; + rdfs:subClassOf ns6:License ; + sh:nodeKind sh:IRI . + +ns6:CustomLicenseAddition a owl:Class ; + rdfs:comment "A license addition that is not listed on the SPDX Exceptions List."@en ; + rdfs:subClassOf ns6:LicenseAddition ; + sh:nodeKind sh:IRI . + +ns6:DisjunctiveLicenseSet a owl:Class, + sh:NodeShape ; + rdfs:comment """Portion of an AnyLicenseInfo representing a set of licensing information where +only one of the elements applies."""@en ; + rdfs:subClassOf ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ; + sh:minCount 2 ; + sh:nodeKind sh:IRI ; + sh:path ns6:member ] . + +ns6:ListedLicense a owl:Class, + sh:NodeShape ; + rdfs:comment "A license that is listed on the SPDX License List."@en ; + rdfs:subClassOf ns6:License ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:listVersionAdded ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:deprecatedVersion ] . + +ns6:ListedLicenseException a owl:Class, + sh:NodeShape ; + rdfs:comment "A license exception that is listed on the SPDX Exceptions list."@en ; + rdfs:subClassOf ns6:LicenseAddition ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:deprecatedVersion ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:listVersionAdded ] . + +ns6:NoAssertionLicense a owl:NamedIndividual, + ns6:IndividualLicensingInfo ; + rdfs:comment """An Individual Value for License when no assertion can be made about its actual +value."""@en ; + owl:sameAs ; + ns1:creationInfo . + +ns6:NoneLicense a owl:NamedIndividual, + ns6:IndividualLicensingInfo ; + rdfs:comment """An Individual Value for License where the SPDX data creator determines that no +license is present."""@en ; + owl:sameAs ; + ns1:creationInfo . + +ns6:OrLaterOperator a owl:Class, + sh:NodeShape ; + rdfs:comment """Portion of an AnyLicenseInfo representing this version, or any later version, +of the indicated License."""@en ; + rdfs:subClassOf ns6:ExtendableLicense ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns6:License ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns6:subjectLicense ] . + +ns6:WithAdditionOperator a owl:Class, + sh:NodeShape ; + rdfs:comment """Portion of an AnyLicenseInfo representing a License which has additional +text applied to it."""@en ; + rdfs:subClassOf ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns6:ExtendableLicense ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns6:subjectExtendableLicense ], + [ sh:class ns6:LicenseAddition ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns6:subjectAddition ] . + + a owl:Class, + sh:NodeShape ; + rdfs:comment "A type of extension consisting of a list of name value pairs."@en ; + rdfs:subClassOf ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:class ; + sh:minCount 1 ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ] . + +ns2:CvssV2VulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Provides a CVSS version 2.0 assessment for a vulnerability."@en ; + rdfs:subClassOf ns2:VulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:vectorString ], + [ sh:datatype xsd:decimal ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:score ] . + +ns2:CvssV3VulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Provides a CVSS version 3 assessment for a vulnerability."@en ; + rdfs:subClassOf ns2:VulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:decimal ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:score ], + [ sh:class ns2:CvssSeverityType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns2:severity ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:vectorString ] . + +ns2:CvssV4VulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Provides a CVSS version 4 assessment for a vulnerability."@en ; + rdfs:subClassOf ns2:VulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns2:CvssSeverityType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns2:severity ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:vectorString ], + [ sh:datatype xsd:decimal ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:score ] . + +ns2:EpssVulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Provides an EPSS assessment for a vulnerability."@en ; + rdfs:subClassOf ns2:VulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:decimal ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:probability ], + [ sh:datatype xsd:decimal ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:percentile ] . + +ns2:ExploitCatalogVulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Provides an exploit assessment of a vulnerability."@en ; + rdfs:subClassOf ns2:VulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:locator ], + [ sh:datatype xsd:boolean ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:exploited ], + [ sh:class ns2:ExploitCatalogType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns2:catalogType ] . + +ns2:SsvcVulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Provides an SSVC assessment for a vulnerability."@en ; + rdfs:subClassOf ns2:VulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns2:SsvcDecisionType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns2:decisionType ] . + +ns2:VexAffectedVulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment """Connects a vulnerability and an element designating the element as a product +affected by the vulnerability."""@en ; + rdfs:subClassOf ns2:VexVulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:actionStatement ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:actionStatementTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ] . + +ns2:VexFixedVulnAssessmentRelationship a owl:Class ; + rdfs:comment """Links a vulnerability and elements representing products (in the VEX sense) where +a fix has been applied and are no longer affected."""@en ; + rdfs:subClassOf ns2:VexVulnAssessmentRelationship ; + sh:nodeKind sh:IRI . + +ns2:VexNotAffectedVulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment """Links a vulnerability and one or more elements designating the latter as products +not affected by the vulnerability."""@en ; + rdfs:subClassOf ns2:VexVulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:impactStatementTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:impactStatement ], + [ sh:class ns2:VexJustificationType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns2:justificationType ] . + +ns2:VexUnderInvestigationVulnAssessmentRelationship a owl:Class ; + rdfs:comment """Designates elements as products where the impact of a vulnerability is being +investigated."""@en ; + rdfs:subClassOf ns2:VexVulnAssessmentRelationship ; + sh:nodeKind sh:IRI . + +ns2:Vulnerability a owl:Class, + sh:NodeShape ; + rdfs:comment "Specifies a vulnerability and its associated information."@en ; + rdfs:subClassOf ns1:Artifact ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:withdrawnTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:modifiedTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:publishedTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ] . + + a owl:Class, + sh:NodeShape ; + rdfs:comment "An SPDX Element containing an SPDX license expression string."@en ; + rdfs:subClassOf ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ], + [ sh:class ns1:DictionaryEntry ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ; + sh:pattern "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" ] . + + a owl:Class, + sh:NodeShape ; + rdfs:comment "A license or addition that is not listed on the SPDX License List."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ] . + +ns3:Sbom a owl:Class, + sh:NodeShape ; + rdfs:comment "A collection of SPDX Elements describing a single package."@en ; + rdfs:subClassOf ns1:Bom ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns3:SbomType ; + sh:in ( ) ; + sh:nodeKind sh:IRI ; + sh:path ns3:sbomType ] . + +ns3:Snippet a owl:Class, + sh:NodeShape ; + rdfs:comment "Describes a certain part of a file."@en ; + rdfs:subClassOf ns3:SoftwareArtifact ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns3:File ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns3:snippetFromFile ], + [ sh:class ns1:PositiveIntegerRange ; + sh:maxCount 1 ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns3:lineRange ], + [ sh:class ns1:PositiveIntegerRange ; + sh:maxCount 1 ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns3:byteRange ] . + + a ns1:CreationInfo ; + rdfs:comment "This individual element was defined by the spec."@en ; + ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ; + ns1:createdBy ns1:SpdxOrganization ; + ns1:specVersion "3.0.1" . + + a ns1:CreationInfo ; + rdfs:comment "This individual element was defined by the spec."@en ; + ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ; + ns1:createdBy ns1:SpdxOrganization ; + ns1:specVersion "3.0.1" . + + a ns1:CreationInfo ; + rdfs:comment "This individual element was defined by the spec."@en ; + ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ; + ns1:createdBy ns1:SpdxOrganization ; + ns1:specVersion "3.0.1" . + + a ns1:CreationInfo ; + rdfs:comment "This individual element was defined by the spec."@en ; + ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ; + ns1:createdBy ns1:SpdxOrganization ; + ns1:specVersion "3.0.1" . + + a ns1:CreationInfo ; + rdfs:comment "This individual element was defined by the spec."@en ; + ns1:created "2024-11-22T03:00:01Z"^^xsd:dateTimeStamp ; + ns1:createdBy ns1:SpdxOrganization ; + ns1:specVersion "3.0.1" . + +spdx: a owl:Ontology ; + rdfs:label "System Package Data Exchange (SPDX) Ontology"@en ; + dcterms:abstract "This ontology defines the terms and relationships used in the SPDX specification to describe system packages"@en ; + dcterms:created "2024-04-05"^^xsd:date ; + dcterms:creator "SPDX Project"@en ; + dcterms:license ; + dcterms:references ; + dcterms:title "System Package Data Exchange (SPDX) Ontology"@en ; + owl:versionIRI spdx: ; + omg-ann:copyright "Copyright (C) 2024 SPDX Project"@en . + + a owl:NamedIndividual, + ns5:EnergyUnitType ; + rdfs:label "kilowattHour" ; + rdfs:comment "Kilowatt-hour."@en . + + a owl:NamedIndividual, + ns5:EnergyUnitType ; + rdfs:label "megajoule" ; + rdfs:comment "Megajoule."@en . + + a owl:NamedIndividual, + ns5:EnergyUnitType ; + rdfs:label "other" ; + rdfs:comment "Any other units of energy measurement."@en . + + a owl:NamedIndividual, + ns5:SafetyRiskAssessmentType ; + rdfs:label "high" ; + rdfs:comment "The second-highest level of risk posed by an AI system."@en . + + a owl:NamedIndividual, + ns5:SafetyRiskAssessmentType ; + rdfs:label "low" ; + rdfs:comment "Low/no risk is posed by an AI system."@en . + + a owl:NamedIndividual, + ns5:SafetyRiskAssessmentType ; + rdfs:label "medium" ; + rdfs:comment "The third-highest level of risk posed by an AI system."@en . + + a owl:NamedIndividual, + ns5:SafetyRiskAssessmentType ; + rdfs:label "serious" ; + rdfs:comment "The highest level of risk posed by an AI system."@en . + +ns5:autonomyType a owl:ObjectProperty ; + rdfs:comment """Indicates whether the system can perform a decision or action without human +involvement or guidance."""@en ; + rdfs:range ns1:PresenceType . + +ns5:domain a owl:DatatypeProperty ; + rdfs:comment "Captures the domain in which the AI package can be used."@en ; + rdfs:range xsd:string . + +ns5:energyConsumption a owl:ObjectProperty ; + rdfs:comment "Indicates the amount of energy consumption incurred by an AI model."@en ; + rdfs:range ns5:EnergyConsumption . + +ns5:energyQuantity a owl:DatatypeProperty ; + rdfs:comment "Represents the energy quantity."@en ; + rdfs:range xsd:decimal . + +ns5:energyUnit a owl:ObjectProperty ; + rdfs:comment "Specifies the unit in which energy is measured."@en ; + rdfs:range ns5:EnergyUnitType . + +ns5:finetuningEnergyConsumption a owl:ObjectProperty ; + rdfs:comment """Specifies the amount of energy consumed when finetuning the AI model that is +being used in the AI system."""@en ; + rdfs:range ns5:EnergyConsumptionDescription . + +ns5:hyperparameter a owl:ObjectProperty ; + rdfs:comment """Records a hyperparameter used to build the AI model contained in the AI +package."""@en ; + rdfs:range ns1:DictionaryEntry . + +ns5:inferenceEnergyConsumption a owl:ObjectProperty ; + rdfs:comment """Specifies the amount of energy consumed during inference time by an AI model +that is being used in the AI system."""@en ; + rdfs:range ns5:EnergyConsumptionDescription . + +ns5:informationAboutApplication a owl:DatatypeProperty ; + rdfs:comment """Provides relevant information about the AI software, not including the model +description."""@en ; + rdfs:range xsd:string . + +ns5:informationAboutTraining a owl:DatatypeProperty ; + rdfs:comment "Describes relevant information about different steps of the training process."@en ; + rdfs:range xsd:string . + +ns5:limitation a owl:DatatypeProperty ; + rdfs:comment "Captures a limitation of the AI software."@en ; + rdfs:range xsd:string . + +ns5:metric a owl:ObjectProperty ; + rdfs:comment "Records the measurement of prediction quality of the AI model."@en ; + rdfs:range ns1:DictionaryEntry . + +ns5:metricDecisionThreshold a owl:ObjectProperty ; + rdfs:comment """Captures the threshold that was used for computation of a metric described in +the metric field."""@en ; + rdfs:range ns1:DictionaryEntry . + +ns5:modelDataPreprocessing a owl:DatatypeProperty ; + rdfs:comment """Describes all the preprocessing steps applied to the training data before the +model training."""@en ; + rdfs:range xsd:string . + +ns5:modelExplainability a owl:DatatypeProperty ; + rdfs:comment "Describes methods that can be used to explain the results from the AI model."@en ; + rdfs:range xsd:string . + +ns5:safetyRiskAssessment a owl:ObjectProperty ; + rdfs:comment "Records the results of general safety risk assessment of the AI system."@en ; + rdfs:range ns5:SafetyRiskAssessmentType . + +ns5:standardCompliance a owl:DatatypeProperty ; + rdfs:comment "Captures a standard that is being complied with."@en ; + rdfs:range xsd:string . + +ns5:trainingEnergyConsumption a owl:ObjectProperty ; + rdfs:comment """Specifies the amount of energy consumed when training the AI model that is +being used in the AI system."""@en ; + rdfs:range ns5:EnergyConsumptionDescription . + +ns5:typeOfModel a owl:DatatypeProperty ; + rdfs:comment "Records the type of the model used in the AI software."@en ; + rdfs:range xsd:string . + +ns5:useSensitivePersonalInformation a owl:ObjectProperty ; + rdfs:comment """Records if sensitive personal information is used during model training or +could be used during the inference."""@en ; + rdfs:range ns1:PresenceType . + + a owl:DatatypeProperty ; + rdfs:comment "Property that describes the time at which a build stops."@en ; + rdfs:range xsd:dateTimeStamp . + + a owl:DatatypeProperty ; + rdfs:comment """A buildId is a locally unique identifier used by a builder to identify a unique +instance of a build produced by it."""@en ; + rdfs:range xsd:string . + + a owl:DatatypeProperty ; + rdfs:comment "Property describing the start time of a build."@en ; + rdfs:range xsd:dateTimeStamp . + + a owl:DatatypeProperty ; + rdfs:comment """A buildType is a hint that is used to indicate the toolchain, platform, or +infrastructure that the build was invoked on."""@en ; + rdfs:range xsd:anyURI . + + a owl:ObjectProperty ; + rdfs:comment """Property that describes the digest of the build configuration file used to +invoke a build."""@en ; + rdfs:range ns1:Hash . + + a owl:DatatypeProperty ; + rdfs:comment "Property describes the invocation entrypoint of a build."@en ; + rdfs:range xsd:string . + + a owl:DatatypeProperty ; + rdfs:comment "Property that describes the URI of the build configuration source file."@en ; + rdfs:range xsd:anyURI . + + a owl:ObjectProperty ; + rdfs:comment "Property describing the session in which a build is invoked."@en ; + rdfs:range ns1:DictionaryEntry . + + a owl:ObjectProperty ; + rdfs:comment "Property describing a parameter used in an instance of a build."@en ; + rdfs:range ns1:DictionaryEntry . + + a owl:NamedIndividual, + ns1:AnnotationType ; + rdfs:label "other" ; + rdfs:comment "Used to store extra information about an Element which is not part of a review (e.g. extra information provided during the creation of the Element)."@en . + + a owl:NamedIndividual, + ns1:AnnotationType ; + rdfs:label "review" ; + rdfs:comment "Used when someone reviews the Element."@en . + +ns1:Bom a owl:Class ; + rdfs:comment """A container for a grouping of SPDX-3.0 content characterizing details +(provenence, composition, licensing, etc.) about a product."""@en ; + rdfs:subClassOf ns1:Bundle ; + sh:nodeKind sh:IRI . + +ns1:Bundle a owl:Class, + sh:NodeShape ; + rdfs:comment "A collection of Elements that have a shared context."@en ; + rdfs:subClassOf ns1:ElementCollection ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:context ] . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "cpe22" ; + rdfs:comment "[Common Platform Enumeration Specification 2.2](https://cpe.mitre.org/files/cpe-specification_2.2.pdf)"@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "cpe23" ; + rdfs:comment "[Common Platform Enumeration: Naming Specification Version 2.3](https://csrc.nist.gov/publications/detail/nistir/7695/final)"@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "cve" ; + rdfs:comment "Common Vulnerabilities and Exposures identifiers, an identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the [CVE specification](https://csrc.nist.gov/glossary/term/cve_id)."@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "email" ; + rdfs:comment "Email address, as defined in [RFC 3696](https://datatracker.ietf.org/doc/rfc3986/) Section 3."@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "gitoid" ; + rdfs:comment "[Gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid), stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects). A gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent either an [Artifact Identifier](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-identifier-types) for the software artifact or an [Input Manifest Identifier](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#input-manifest-identifier) for the software artifact's associated [Artifact Input Manifest](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-input-manifest); this ambiguity exists because the Artifact Input Manifest is itself an artifact, and the gitoid of that artifact is its valid identifier. Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's contentIdentifier property. Gitoids calculated on the Artifact Input Manifest (Input Manifest Identifier) should be recorded in the SPDX 3.0 Element's externalIdentifier property. See [OmniBOR Specification](https://github.com/omnibor/spec/), a minimalistic specification for describing software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-dependency-graph-adg)."@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "other" ; + rdfs:comment "Used when the type does not match any of the other options."@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "packageUrl" ; + rdfs:comment "Package URL, as defined in the corresponding [Annex](../../../annexes/pkg-url-specification.md) of this specification."@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "securityOther" ; + rdfs:comment "Used when there is a security related identifier of unspecified type."@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "swhid" ; + rdfs:comment "SoftWare Hash IDentifier, a persistent intrinsic identifier for digital artifacts, such as files, trees (also known as directories or folders), commits, and other objects typically found in version control systems. The format of the identifiers is defined in the [SWHID specification](https://www.swhid.org/specification/v1.1/4.Syntax) (ISO/IEC DIS 18670). They typically look like `swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2`."@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "swid" ; + rdfs:comment "Concise Software Identification (CoSWID) tag, as defined in [RFC 9393](https://datatracker.ietf.org/doc/rfc9393/) Section 2.3."@en . + + a owl:NamedIndividual, + ns1:ExternalIdentifierType ; + rdfs:label "urlScheme" ; + rdfs:comment "[Uniform Resource Identifier (URI) Schemes](https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml). The scheme used in order to locate a resource."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "altDownloadLocation" ; + rdfs:comment "A reference to an alternative download location."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "altWebPage" ; + rdfs:comment "A reference to an alternative web page."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "binaryArtifact" ; + rdfs:comment "A reference to binary artifacts related to a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "bower" ; + rdfs:comment "A reference to a Bower package. The package locator format, looks like `package#version`, is defined in the \"install\" section of [Bower API documentation](https://bower.io/docs/api/#install)."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "buildMeta" ; + rdfs:comment "A reference build metadata related to a published package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "buildSystem" ; + rdfs:comment "A reference build system used to create or publish the package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "certificationReport" ; + rdfs:comment "A reference to a certification report for a package from an accredited/independent body."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "chat" ; + rdfs:comment "A reference to the instant messaging system used by the maintainer for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "componentAnalysisReport" ; + rdfs:comment "A reference to a Software Composition Analysis (SCA) report."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "cwe" ; + rdfs:comment "[Common Weakness Enumeration](https://csrc.nist.gov/glossary/term/common_weakness_enumeration). A reference to a source of software flaw defined within the official [CWE List](https://cwe.mitre.org/data/) that conforms to the [CWE specification](https://cwe.mitre.org/)."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "documentation" ; + rdfs:comment "A reference to the documentation for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "dynamicAnalysisReport" ; + rdfs:comment "A reference to a dynamic analysis report for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "eolNotice" ; + rdfs:comment "A reference to the End Of Sale (EOS) and/or End Of Life (EOL) information related to a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "exportControlAssessment" ; + rdfs:comment "A reference to a export control assessment for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "funding" ; + rdfs:comment "A reference to funding information related to a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "issueTracker" ; + rdfs:comment "A reference to the issue tracker for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "license" ; + rdfs:comment "A reference to additional license information related to an artifact."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "mailingList" ; + rdfs:comment "A reference to the mailing list used by the maintainer for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "mavenCentral" ; + rdfs:comment "A reference to a Maven repository artifact. The artifact locator format is defined in the [Maven documentation](https://maven.apache.org/guides/mini/guide-naming-conventions.html) and looks like `groupId:artifactId[:version]`."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "metrics" ; + rdfs:comment "A reference to metrics related to package such as OpenSSF scorecards."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "npm" ; + rdfs:comment "A reference to an npm package. The package locator format is defined in the [npm documentation](https://docs.npmjs.com/cli/v10/configuring-npm/package-json) and looks like `package@version`."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "nuget" ; + rdfs:comment "A reference to a NuGet package. The package locator format is defined in the [NuGet documentation](https://docs.nuget.org) and looks like `package/version`."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "other" ; + rdfs:comment "Used when the type does not match any of the other options."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "privacyAssessment" ; + rdfs:comment "A reference to a privacy assessment for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "productMetadata" ; + rdfs:comment "A reference to additional product metadata such as reference within organization's product catalog."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "purchaseOrder" ; + rdfs:comment "A reference to a purchase order for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "qualityAssessmentReport" ; + rdfs:comment "A reference to a quality assessment for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "releaseHistory" ; + rdfs:comment "A reference to a published list of releases for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "releaseNotes" ; + rdfs:comment "A reference to the release notes for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "riskAssessment" ; + rdfs:comment "A reference to a risk assessment for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "runtimeAnalysisReport" ; + rdfs:comment "A reference to a runtime analysis report for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "secureSoftwareAttestation" ; + rdfs:comment "A reference to information assuring that the software is developed using security practices as defined by [NIST SP 800-218 Secure Software Development Framework (SSDF) Version 1.1](https://csrc.nist.gov/pubs/sp/800/218/final) or [CISA Secure Software Development Attestation Form](https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form)."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "securityAdversaryModel" ; + rdfs:comment "A reference to the security adversary model for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "securityAdvisory" ; + rdfs:comment "A reference to a published security advisory (where advisory as defined per [ISO 29147:2018](https://www.iso.org/standard/72311.html)) that may affect one or more elements, e.g., vendor advisories or specific NVD entries."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "securityFix" ; + rdfs:comment "A reference to the patch or source code that fixes a vulnerability."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "securityOther" ; + rdfs:comment "A reference to related security information of unspecified type."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "securityPenTestReport" ; + rdfs:comment "A reference to a [penetration test](https://en.wikipedia.org/wiki/Penetration_test) report for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "securityPolicy" ; + rdfs:comment "A reference to instructions for reporting newly discovered security vulnerabilities for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "securityThreatModel" ; + rdfs:comment "A reference the [security threat model](https://en.wikipedia.org/wiki/Threat_model) for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "socialMedia" ; + rdfs:comment "A reference to a social media channel for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "sourceArtifact" ; + rdfs:comment "A reference to an artifact containing the sources for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "staticAnalysisReport" ; + rdfs:comment "A reference to a static analysis report for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "support" ; + rdfs:comment "A reference to the software support channel or other support information for a package."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "vcs" ; + rdfs:comment "A reference to a version control system related to a software artifact."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "vulnerabilityDisclosureReport" ; + rdfs:comment "A reference to a Vulnerability Disclosure Report (VDR) which provides the software supplier's analysis and findings describing the impact (or lack of impact) that reported vulnerabilities have on packages or products in the supplier's SBOM as defined in [NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations](https://csrc.nist.gov/pubs/sp/800/161/r1/final)."@en . + + a owl:NamedIndividual, + ns1:ExternalRefType ; + rdfs:label "vulnerabilityExploitabilityAssessment" ; + rdfs:comment "A reference to a Vulnerability Exploitability eXchange (VEX) statement which provides information on whether a product is impacted by a specific vulnerability in an included package and, if affected, whether there are actions recommended to remediate. See also [NTIA VEX one-page summary](https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)."@en . + + a owl:NamedIndividual, + ns1:LifecycleScopeType ; + rdfs:label "build" ; + rdfs:comment "A relationship has specific context implications during an element's build phase, during development."@en . + + a owl:NamedIndividual, + ns1:LifecycleScopeType ; + rdfs:label "design" ; + rdfs:comment "A relationship has specific context implications during an element's design."@en . + + a owl:NamedIndividual, + ns1:LifecycleScopeType ; + rdfs:label "development" ; + rdfs:comment "A relationship has specific context implications during development phase of an element."@en . + + a owl:NamedIndividual, + ns1:LifecycleScopeType ; + rdfs:label "other" ; + rdfs:comment "A relationship has other specific context information necessary to capture that the above set of enumerations does not handle."@en . + + a owl:NamedIndividual, + ns1:LifecycleScopeType ; + rdfs:label "runtime" ; + rdfs:comment "A relationship has specific context implications during the execution phase of an element."@en . + + a owl:NamedIndividual, + ns1:LifecycleScopeType ; + rdfs:label "test" ; + rdfs:comment "A relationship has specific context implications during an element's testing phase, during development."@en . + +ns1:Organization a owl:Class ; + rdfs:comment "A group of people who work together in an organized way for a shared purpose."@en ; + rdfs:subClassOf ns1:Agent ; + sh:nodeKind sh:IRI . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "ai" ; + rdfs:comment "the element follows the AI profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "build" ; + rdfs:comment "the element follows the Build profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "core" ; + rdfs:comment "the element follows the Core profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "dataset" ; + rdfs:comment "the element follows the Dataset profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "expandedLicensing" ; + rdfs:comment "the element follows the ExpandedLicensing profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "extension" ; + rdfs:comment "the element follows the Extension profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "lite" ; + rdfs:comment "the element follows the Lite profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "security" ; + rdfs:comment "the element follows the Security profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "simpleLicensing" ; + rdfs:comment "the element follows the SimpleLicensing profile specification"@en . + + a owl:NamedIndividual, + ns1:ProfileIdentifierType ; + rdfs:label "software" ; + rdfs:comment "the element follows the Software profile specification"@en . + + a owl:NamedIndividual, + ns1:RelationshipCompleteness ; + rdfs:label "complete" ; + rdfs:comment "The relationship is known to be exhaustive."@en . + + a owl:NamedIndividual, + ns1:RelationshipCompleteness ; + rdfs:label "incomplete" ; + rdfs:comment "The relationship is known not to be exhaustive."@en . + + a owl:NamedIndividual, + ns1:RelationshipCompleteness ; + rdfs:label "noAssertion" ; + rdfs:comment "No assertion can be made about the completeness of the relationship."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "affects" ; + rdfs:comment "The `from` Vulnerability affects each `to` Element. The use of the `affects` type is constrained to `VexAffectedVulnAssessmentRelationship` classed relationships."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "amendedBy" ; + rdfs:comment "The `from` Element is amended by each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "ancestorOf" ; + rdfs:comment "The `from` Element is an ancestor of each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "availableFrom" ; + rdfs:comment "The `from` Element is available from the additional supplier described by each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "configures" ; + rdfs:comment "The `from` Element is a configuration applied to each `to` Element, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "contains" ; + rdfs:comment "The `from` Element contains each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "coordinatedBy" ; + rdfs:comment "The `from` Vulnerability is coordinatedBy the `to` Agent(s) (vendor, researcher, or consumer agent)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "copiedTo" ; + rdfs:comment "The `from` Element has been copied to each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "delegatedTo" ; + rdfs:comment "The `from` Agent is delegating an action to the Agent of the `to` Relationship (which must be of type invokedBy), during a LifecycleScopeType (e.g. the `to` invokedBy Relationship is being done on behalf of `from`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "dependsOn" ; + rdfs:comment "The `from` Element depends on each `to` Element, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "descendantOf" ; + rdfs:comment "The `from` Element is a descendant of each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "describes" ; + rdfs:comment "The `from` Element describes each `to` Element. To denote the root(s) of a tree of elements in a collection, the rootElement property should be used."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "doesNotAffect" ; + rdfs:comment "The `from` Vulnerability has no impact on each `to` Element. The use of the `doesNotAffect` is constrained to `VexNotAffectedVulnAssessmentRelationship` classed relationships."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "expandsTo" ; + rdfs:comment "The `from` archive expands out as an artifact described by each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "exploitCreatedBy" ; + rdfs:comment "The `from` Vulnerability has had an exploit created against it by each `to` Agent."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "fixedBy" ; + rdfs:comment "Designates a `from` Vulnerability has been fixed by the `to` Agent(s)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "fixedIn" ; + rdfs:comment "A `from` Vulnerability has been fixed in each `to` Element. The use of the `fixedIn` type is constrained to `VexFixedVulnAssessmentRelationship` classed relationships."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "foundBy" ; + rdfs:comment "Designates a `from` Vulnerability was originally discovered by the `to` Agent(s)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "generates" ; + rdfs:comment "The `from` Element generates each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasAddedFile" ; + rdfs:comment "Every `to` Element is a file added to the `from` Element (`from` hasAddedFile `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasAssessmentFor" ; + rdfs:comment "Relates a `from` Vulnerability and each `to` Element with a security assessment. To be used with `VulnAssessmentRelationship` types."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasAssociatedVulnerability" ; + rdfs:comment "Used to associate a `from` Artifact with each `to` Vulnerability."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasConcludedLicense" ; + rdfs:comment "The `from` SoftwareArtifact is concluded by the SPDX data creator to be governed by each `to` license."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasDataFile" ; + rdfs:comment "The `from` Element treats each `to` Element as a data file. A data file is an artifact that stores data required or optional for the `from` Element's functionality. A data file can be a database file, an index file, a log file, an AI model file, a calibration data file, a temporary file, a backup file, and more. For AI training dataset, test dataset, test artifact, configuration data, build input data, and build output data, please consider using the more specific relationship types: `trainedOn`, `testedOn`, `hasTest`, `configures`, `hasInput`, and `hasOutput`, respectively. This relationship does not imply dependency."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasDeclaredLicense" ; + rdfs:comment "The `from` SoftwareArtifact was discovered to actually contain each `to` license, for example as detected by use of automated tooling."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasDeletedFile" ; + rdfs:comment "Every `to` Element is a file deleted from the `from` Element (`from` hasDeletedFile `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasDependencyManifest" ; + rdfs:comment "The `from` Element has manifest files that contain dependency information in each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasDistributionArtifact" ; + rdfs:comment "The `from` Element is distributed as an artifact in each `to` Element (e.g. an RPM or archive file)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasDocumentation" ; + rdfs:comment "The `from` Element is documented by each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasDynamicLink" ; + rdfs:comment "The `from` Element dynamically links in each `to` Element, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasEvidence" ; + rdfs:comment "Every `to` Element is considered as evidence for the `from` Element (`from` hasEvidence `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasExample" ; + rdfs:comment "Every `to` Element is an example for the `from` Element (`from` hasExample `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasHost" ; + rdfs:comment "The `from` Build was run on the `to` Element during a LifecycleScopeType period (e.g. the host that the build runs on)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasInput" ; + rdfs:comment "The `from` Build has each `to` Element as an input, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasMetadata" ; + rdfs:comment "Every `to` Element is metadata about the `from` Element (`from` hasMetadata `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasOptionalComponent" ; + rdfs:comment "Every `to` Element is an optional component of the `from` Element (`from` hasOptionalComponent `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasOptionalDependency" ; + rdfs:comment "The `from` Element optionally depends on each `to` Element, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasOutput" ; + rdfs:comment "The `from` Build element generates each `to` Element as an output, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasPrerequisite" ; + rdfs:comment "The `from` Element has a prerequisite on each `to` Element, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasProvidedDependency" ; + rdfs:comment "The `from` Element has a dependency on each `to` Element, dependency is not in the distributed artifact, but assumed to be provided, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasRequirement" ; + rdfs:comment "The `from` Element has a requirement on each `to` Element, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasSpecification" ; + rdfs:comment "Every `to` Element is a specification for the `from` Element (`from` hasSpecification `to`), during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasStaticLink" ; + rdfs:comment "The `from` Element statically links in each `to` Element, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasTest" ; + rdfs:comment "Every `to` Element is a test artifact for the `from` Element (`from` hasTest `to`), during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasTestCase" ; + rdfs:comment "Every `to` Element is a test case for the `from` Element (`from` hasTestCase `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "hasVariant" ; + rdfs:comment "Every `to` Element is a variant the `from` Element (`from` hasVariant `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "invokedBy" ; + rdfs:comment "The `from` Element was invoked by the `to` Agent, during a LifecycleScopeType period (for example, a Build element that describes a build step)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "modifiedBy" ; + rdfs:comment "The `from` Element is modified by each `to` Element."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "other" ; + rdfs:comment "Every `to` Element is related to the `from` Element where the relationship type is not described by any of the SPDX relationship types (this relationship is directionless)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "packagedBy" ; + rdfs:comment "Every `to` Element is a packaged instance of the `from` Element (`from` packagedBy `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "patchedBy" ; + rdfs:comment "Every `to` Element is a patch for the `from` Element (`from` patchedBy `to`)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "publishedBy" ; + rdfs:comment "Designates a `from` Vulnerability was made available for public use or reference by each `to` Agent."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "reportedBy" ; + rdfs:comment "Designates a `from` Vulnerability was first reported to a project, vendor, or tracking database for formal identification by each `to` Agent."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "republishedBy" ; + rdfs:comment "Designates a `from` Vulnerability's details were tracked, aggregated, and/or enriched to improve context (i.e. NVD) by each `to` Agent."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "serializedInArtifact" ; + rdfs:comment "The `from` SpdxDocument can be found in a serialized form in each `to` Artifact."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "testedOn" ; + rdfs:comment "The `from` Element has been tested on the `to` Element(s)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "trainedOn" ; + rdfs:comment "The `from` Element has been trained on the `to` Element(s)."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "underInvestigationFor" ; + rdfs:comment "The `from` Vulnerability impact is being investigated for each `to` Element. The use of the `underInvestigationFor` type is constrained to `VexUnderInvestigationVulnAssessmentRelationship` classed relationships."@en . + + a owl:NamedIndividual, + ns1:RelationshipType ; + rdfs:label "usesTool" ; + rdfs:comment "The `from` Element uses each `to` Element as a tool, during a LifecycleScopeType period."@en . + + a owl:NamedIndividual, + ns1:SupportType ; + rdfs:label "deployed" ; + rdfs:comment "in addition to being supported by the supplier, the software is known to have been deployed and is in use. For a software as a service provider, this implies the software is now available as a service."@en . + + a owl:NamedIndividual, + ns1:SupportType ; + rdfs:label "development" ; + rdfs:comment "the artifact is in active development and is not considered ready for formal support from the supplier."@en . + + a owl:NamedIndividual, + ns1:SupportType ; + rdfs:label "endOfSupport" ; + rdfs:comment "there is a defined end of support for the artifact from the supplier. This may also be referred to as end of life. There is a validUntilDate that can be used to signal when support ends for the artifact."@en . + + a owl:NamedIndividual, + ns1:SupportType ; + rdfs:label "limitedSupport" ; + rdfs:comment "the artifact has been released, and there is limited support available from the supplier. There is a validUntilDate that can provide additional information about the duration of support."@en . + + a owl:NamedIndividual, + ns1:SupportType ; + rdfs:label "noAssertion" ; + rdfs:comment "no assertion about the type of support is made. This is considered the default if no other support type is used."@en . + + a owl:NamedIndividual, + ns1:SupportType ; + rdfs:label "noSupport" ; + rdfs:comment "there is no support for the artifact from the supplier, consumer assumes any support obligations."@en . + + a owl:NamedIndividual, + ns1:SupportType ; + rdfs:label "support" ; + rdfs:comment "the artifact has been released, and is supported from the supplier. There is a validUntilDate that can provide additional information about the duration of support."@en . + +ns1:annotationType a owl:ObjectProperty ; + rdfs:comment "Describes the type of annotation."@en ; + rdfs:range ns1:AnnotationType . + +ns1:beginIntegerRange a owl:DatatypeProperty ; + rdfs:comment "Defines the beginning of a range."@en ; + rdfs:range xsd:positiveInteger . + +ns1:builtTime a owl:DatatypeProperty ; + rdfs:comment "Specifies the time an artifact was built."@en ; + rdfs:range xsd:dateTimeStamp . + +ns1:completeness a owl:ObjectProperty ; + rdfs:comment "Provides information about the completeness of relationships."@en ; + rdfs:range ns1:RelationshipCompleteness . + +ns1:context a owl:DatatypeProperty ; + rdfs:comment """Gives information about the circumstances or unifying properties +that Elements of the bundle have been assembled under."""@en ; + rdfs:range xsd:string . + +ns1:created a owl:DatatypeProperty ; + rdfs:comment "Identifies when the Element was originally created."@en ; + rdfs:range xsd:dateTimeStamp . + +ns1:createdBy a owl:ObjectProperty ; + rdfs:comment "Identifies who or what created the Element."@en ; + rdfs:range ns1:Agent . + +ns1:createdUsing a owl:ObjectProperty ; + rdfs:comment "Identifies the tooling that was used during the creation of the Element."@en ; + rdfs:range ns1:Tool . + +ns1:creationInfo a owl:ObjectProperty ; + rdfs:comment "Provides information about the creation of the Element."@en ; + rdfs:range ns1:CreationInfo . + +ns1:dataLicense a owl:ObjectProperty ; + rdfs:comment """Provides the license under which the SPDX documentation of the Element can be +used."""@en ; + rdfs:range . + +ns1:definingArtifact a owl:ObjectProperty ; + rdfs:comment """Artifact representing a serialization instance of SPDX data containing the +definition of a particular Element."""@en ; + rdfs:range ns1:Artifact . + +ns1:description a owl:DatatypeProperty ; + rdfs:comment "Provides a detailed description of the Element."@en ; + rdfs:range xsd:string . + +ns1:element a owl:ObjectProperty ; + rdfs:comment "Refers to one or more Elements that are part of an ElementCollection."@en ; + rdfs:range ns1:Element . + +ns1:endIntegerRange a owl:DatatypeProperty ; + rdfs:comment "Defines the end of a range."@en ; + rdfs:range xsd:positiveInteger . + +ns1:endTime a owl:DatatypeProperty ; + rdfs:comment "Specifies the time from which an element is no longer applicable / valid."@en ; + rdfs:range xsd:dateTimeStamp . + +ns1:extension a owl:ObjectProperty ; + rdfs:comment "Specifies an Extension characterization of some aspect of an Element."@en ; + rdfs:range . + +ns1:externalIdentifier a owl:ObjectProperty ; + rdfs:comment """Provides a reference to a resource outside the scope of SPDX-3.0 content +that uniquely identifies an Element."""@en ; + rdfs:range ns1:ExternalIdentifier . + +ns1:externalIdentifierType a owl:ObjectProperty ; + rdfs:comment "Specifies the type of the external identifier."@en ; + rdfs:range ns1:ExternalIdentifierType . + +ns1:externalRef a owl:ObjectProperty ; + rdfs:comment """Points to a resource outside the scope of the SPDX-3.0 content +that provides additional characteristics of an Element."""@en ; + rdfs:range ns1:ExternalRef . + +ns1:externalRefType a owl:ObjectProperty ; + rdfs:comment "Specifies the type of the external reference."@en ; + rdfs:range ns1:ExternalRefType . + +ns1:externalSpdxId a owl:DatatypeProperty ; + rdfs:comment """Identifies an external Element used within an SpdxDocument but defined +external to that SpdxDocument."""@en ; + rdfs:range xsd:anyURI . + +ns1:from a owl:ObjectProperty ; + rdfs:comment "References the Element on the left-hand side of a relationship."@en ; + rdfs:range ns1:Element . + +ns1:identifier a owl:DatatypeProperty ; + rdfs:comment "Uniquely identifies an external element."@en ; + rdfs:range xsd:string . + +ns1:identifierLocator a owl:DatatypeProperty ; + rdfs:comment "Provides the location for more information regarding an external identifier."@en ; + rdfs:range xsd:anyURI . + +ns1:import a owl:ObjectProperty ; + rdfs:comment "Provides an ExternalMap of Element identifiers."@en ; + rdfs:range ns1:ExternalMap . + +ns1:issuingAuthority a owl:DatatypeProperty ; + rdfs:comment "An entity that is authorized to issue identification credentials."@en ; + rdfs:range xsd:string . + +ns1:key a owl:DatatypeProperty ; + rdfs:comment "A key used in a generic key-value pair."@en ; + rdfs:range xsd:string . + +ns1:locationHint a owl:DatatypeProperty ; + rdfs:comment "Provides an indication of where to retrieve an external Element."@en ; + rdfs:range xsd:anyURI . + +ns1:locator a owl:DatatypeProperty ; + rdfs:comment "Provides the location of an external reference."@en ; + rdfs:range xsd:string . + +ns1:name a owl:DatatypeProperty ; + rdfs:comment "Identifies the name of an Element as designated by the creator."@en ; + rdfs:range xsd:string . + +ns1:namespace a owl:DatatypeProperty ; + rdfs:comment """Provides an unambiguous mechanism for conveying a URI fragment portion of an +Element ID."""@en ; + rdfs:range xsd:anyURI . + +ns1:namespaceMap a owl:ObjectProperty ; + rdfs:comment "Provides a NamespaceMap of prefixes and associated namespace partial URIs applicable to an SpdxDocument and independent of any specific serialization format or instance."@en ; + rdfs:range ns1:NamespaceMap . + +ns1:originatedBy a owl:ObjectProperty ; + rdfs:comment "Identifies from where or whom the Element originally came."@en ; + rdfs:range ns1:Agent . + +ns1:packageVerificationCodeExcludedFile a owl:DatatypeProperty ; + rdfs:comment """The relative file name of a file to be excluded from the +`PackageVerificationCode`."""@en ; + rdfs:range xsd:string . + +ns1:prefix a owl:DatatypeProperty ; + rdfs:comment "A substitute for a URI."@en ; + rdfs:range xsd:string . + +ns1:profileConformance a owl:ObjectProperty ; + rdfs:comment """Describes one a profile which the creator of this ElementCollection intends to +conform to."""@en ; + rdfs:range ns1:ProfileIdentifierType . + +ns1:relationshipType a owl:ObjectProperty ; + rdfs:comment "Information about the relationship between two Elements."@en ; + rdfs:range ns1:RelationshipType . + +ns1:releaseTime a owl:DatatypeProperty ; + rdfs:comment "Specifies the time an artifact was released."@en ; + rdfs:range xsd:dateTimeStamp . + +ns1:rootElement a owl:ObjectProperty ; + rdfs:comment "This property is used to denote the root Element(s) of a tree of elements contained in a BOM."@en ; + rdfs:range ns1:Element . + +ns1:scope a owl:ObjectProperty ; + rdfs:comment "Capture the scope of information about a specific relationship between elements."@en ; + rdfs:range ns1:LifecycleScopeType . + +ns1:specVersion a owl:DatatypeProperty ; + rdfs:comment """Provides a reference number that can be used to understand how to parse and +interpret an Element."""@en ; + rdfs:range xsd:string . + +ns1:standardName a owl:DatatypeProperty ; + rdfs:comment "The name of a relevant standard that may apply to an artifact."@en ; + rdfs:range xsd:string . + +ns1:startTime a owl:DatatypeProperty ; + rdfs:comment "Specifies the time from which an element is applicable / valid."@en ; + rdfs:range xsd:dateTimeStamp . + +ns1:statement a owl:DatatypeProperty ; + rdfs:comment "Commentary on an assertion that an annotator has made."@en ; + rdfs:range xsd:string . + +ns1:subject a owl:ObjectProperty ; + rdfs:comment "An Element an annotator has made an assertion about."@en ; + rdfs:range ns1:Element . + +ns1:summary a owl:DatatypeProperty ; + rdfs:comment "A short description of an Element."@en ; + rdfs:range xsd:string . + +ns1:supportLevel a owl:ObjectProperty ; + rdfs:comment "Specifies the level of support associated with an artifact."@en ; + rdfs:range ns1:SupportType . + +ns1:to a owl:ObjectProperty ; + rdfs:comment "References an Element on the right-hand side of a relationship."@en ; + rdfs:range ns1:Element . + +ns1:validUntilTime a owl:DatatypeProperty ; + rdfs:comment """Specifies until when the artifact can be used before its usage needs to be +reassessed."""@en ; + rdfs:range xsd:dateTimeStamp . + +ns1:value a owl:DatatypeProperty ; + rdfs:comment "A value used in a generic key-value pair."@en ; + rdfs:range xsd:string . + + a owl:NamedIndividual, + ns4:ConfidentialityLevelType ; + rdfs:label "amber" ; + rdfs:comment "Data points in the dataset can be shared only with specific organizations and their clients on a need to know basis."@en . + + a owl:NamedIndividual, + ns4:ConfidentialityLevelType ; + rdfs:label "clear" ; + rdfs:comment "Dataset may be distributed freely, without restriction."@en . + + a owl:NamedIndividual, + ns4:ConfidentialityLevelType ; + rdfs:label "green" ; + rdfs:comment "Dataset can be shared within a community of peers and partners."@en . + + a owl:NamedIndividual, + ns4:ConfidentialityLevelType ; + rdfs:label "red" ; + rdfs:comment "Data points in the dataset are highly confidential and can only be shared with named recipients."@en . + + a owl:NamedIndividual, + ns4:DatasetAvailabilityType ; + rdfs:label "clickthrough" ; + rdfs:comment "the dataset is not publicly available and can only be accessed after affirmatively accepting terms on a clickthrough webpage."@en . + + a owl:NamedIndividual, + ns4:DatasetAvailabilityType ; + rdfs:label "directDownload" ; + rdfs:comment "the dataset is publicly available and can be downloaded directly."@en . + + a owl:NamedIndividual, + ns4:DatasetAvailabilityType ; + rdfs:label "query" ; + rdfs:comment "the dataset is publicly available, but not all at once, and can only be accessed through queries which return parts of the dataset."@en . + + a owl:NamedIndividual, + ns4:DatasetAvailabilityType ; + rdfs:label "registration" ; + rdfs:comment "the dataset is not publicly available and an email registration is required before accessing the dataset, although without an affirmative acceptance of terms."@en . + + a owl:NamedIndividual, + ns4:DatasetAvailabilityType ; + rdfs:label "scrapingScript" ; + rdfs:comment "the dataset provider is not making available the underlying data and the dataset must be reassembled, typically using the provided script for scraping the data."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "audio" ; + rdfs:comment "data is audio based, such as a collection of music from the 80s."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "categorical" ; + rdfs:comment "data that is classified into a discrete number of categories, such as the eye color of a population of people."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "graph" ; + rdfs:comment "data is in the form of a graph where entries are somehow related to each other through edges, such a social network of friends."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "image" ; + rdfs:comment "data is a collection of images such as pictures of animals."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "noAssertion" ; + rdfs:comment "data type is not known."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "numeric" ; + rdfs:comment "data consists only of numeric entries."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "other" ; + rdfs:comment "data is of a type not included in this list."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "sensor" ; + rdfs:comment "data is recorded from a physical sensor, such as a thermometer reading or biometric device."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "structured" ; + rdfs:comment "data is stored in tabular format or retrieved from a relational database."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "syntactic" ; + rdfs:comment "data describes the syntax or semantics of a language or text, such as a parse tree used for natural language processing."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "text" ; + rdfs:comment "data consists of unstructured text, such as a book, Wikipedia article (without images), or transcript."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "timeseries" ; + rdfs:comment "data is recorded in an ordered sequence of timestamped entries, such as the price of a stock over the course of a day."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "timestamp" ; + rdfs:comment "data is recorded with a timestamp for each entry, but not necessarily ordered or at specific intervals, such as when a taxi ride starts and ends."@en . + + a owl:NamedIndividual, + ns4:DatasetType ; + rdfs:label "video" ; + rdfs:comment "data is video based, such as a collection of movie clips featuring Tom Hanks."@en . + +ns4:anonymizationMethodUsed a owl:DatatypeProperty ; + rdfs:comment "Describes the anonymization methods used."@en ; + rdfs:range xsd:string . + +ns4:confidentialityLevel a owl:ObjectProperty ; + rdfs:comment "Describes the confidentiality level of the data points contained in the dataset."@en ; + rdfs:range ns4:ConfidentialityLevelType . + +ns4:dataCollectionProcess a owl:DatatypeProperty ; + rdfs:comment "Describes how the dataset was collected."@en ; + rdfs:range xsd:string . + +ns4:dataPreprocessing a owl:DatatypeProperty ; + rdfs:comment "Describes the preprocessing steps that were applied to the raw data to create the given dataset."@en ; + rdfs:range xsd:string . + +ns4:datasetAvailability a owl:ObjectProperty ; + rdfs:comment "The field describes the availability of a dataset."@en ; + rdfs:range ns4:DatasetAvailabilityType . + +ns4:datasetNoise a owl:DatatypeProperty ; + rdfs:comment "Describes potentially noisy elements of the dataset."@en ; + rdfs:range xsd:string . + +ns4:datasetSize a owl:DatatypeProperty ; + rdfs:comment "Captures the size of the dataset."@en ; + rdfs:range xsd:nonNegativeInteger . + +ns4:datasetType a owl:ObjectProperty ; + rdfs:comment "Describes the type of the given dataset."@en ; + rdfs:range ns4:DatasetType . + +ns4:datasetUpdateMechanism a owl:DatatypeProperty ; + rdfs:comment "Describes a mechanism to update the dataset."@en ; + rdfs:range xsd:string . + +ns4:hasSensitivePersonalInformation a owl:ObjectProperty ; + rdfs:comment "Describes if any sensitive personal information is present in the dataset."@en ; + rdfs:range ns1:PresenceType . + +ns4:intendedUse a owl:DatatypeProperty ; + rdfs:comment "Describes what the given dataset should be used for."@en ; + rdfs:range xsd:string . + +ns4:knownBias a owl:DatatypeProperty ; + rdfs:comment "Records the biases that the dataset is known to encompass."@en ; + rdfs:range xsd:string . + +ns4:sensor a owl:ObjectProperty ; + rdfs:comment "Describes a sensor used for collecting the data."@en ; + rdfs:range ns1:DictionaryEntry . + +ns6:additionText a owl:DatatypeProperty ; + rdfs:comment "Identifies the full text of a LicenseAddition."@en ; + rdfs:range xsd:string . + +ns6:isDeprecatedAdditionId a owl:DatatypeProperty ; + rdfs:comment "Specifies whether an additional text identifier has been marked as deprecated."@en ; + rdfs:range xsd:boolean . + +ns6:isDeprecatedLicenseId a owl:DatatypeProperty ; + rdfs:comment """Specifies whether a license or additional text identifier has been marked as +deprecated."""@en ; + rdfs:range xsd:boolean . + +ns6:isFsfLibre a owl:DatatypeProperty ; + rdfs:comment """Specifies whether the License is listed as free by the +Free Software Foundation (FSF)."""@en ; + rdfs:range xsd:boolean . + +ns6:isOsiApproved a owl:DatatypeProperty ; + rdfs:comment """Specifies whether the License is listed as approved by the +Open Source Initiative (OSI)."""@en ; + rdfs:range xsd:boolean . + +ns6:standardAdditionTemplate a owl:DatatypeProperty ; + rdfs:comment "Identifies the full text of a LicenseAddition, in SPDX templating format."@en ; + rdfs:range xsd:string . + +ns6:standardLicenseHeader a owl:DatatypeProperty ; + rdfs:comment """Provides a License author's preferred text to indicate that a file is covered +by the License."""@en ; + rdfs:range xsd:string . + +ns6:standardLicenseTemplate a owl:DatatypeProperty ; + rdfs:comment "Identifies the full text of a License, in SPDX templating format."@en ; + rdfs:range xsd:string . + +ns6:subjectAddition a owl:ObjectProperty ; + rdfs:comment "A LicenseAddition participating in a 'with addition' model."@en ; + rdfs:range ns6:LicenseAddition . + +ns6:subjectExtendableLicense a owl:ObjectProperty ; + rdfs:comment "A License participating in a 'with addition' model."@en ; + rdfs:range ns6:ExtendableLicense . + +ns6:subjectLicense a owl:ObjectProperty ; + rdfs:comment "A License participating in an 'or later' model."@en ; + rdfs:range ns6:License . + + a owl:DatatypeProperty ; + rdfs:comment "A name used in a CdxPropertyEntry name-value pair."@en ; + rdfs:range xsd:string . + + a owl:DatatypeProperty ; + rdfs:comment "A value used in a CdxPropertyEntry name-value pair."@en ; + rdfs:range xsd:string . + + a owl:ObjectProperty ; + rdfs:comment "Provides a map of a property names to a values."@en ; + rdfs:range . + + a owl:NamedIndividual, + ns2:ExploitCatalogType ; + rdfs:label "kev" ; + rdfs:comment "CISA's Known Exploited Vulnerability (KEV) Catalog"@en . + + a owl:NamedIndividual, + ns2:ExploitCatalogType ; + rdfs:label "other" ; + rdfs:comment "Other exploit catalogs"@en . + + a owl:NamedIndividual, + ns2:SsvcDecisionType ; + rdfs:label "act" ; + rdfs:comment "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."@en . + + a owl:NamedIndividual, + ns2:SsvcDecisionType ; + rdfs:label "attend" ; + rdfs:comment "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."@en . + + a owl:NamedIndividual, + ns2:SsvcDecisionType ; + rdfs:label "track" ; + rdfs:comment "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."@en . + + a owl:NamedIndividual, + ns2:SsvcDecisionType ; + rdfs:label "trackStar" ; + rdfs:comment "(\"Track\\*\" in the SSVC spec) The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track\\* vulnerabilities within standard update timelines."@en . + + a owl:NamedIndividual, + ns2:VexJustificationType ; + rdfs:label "componentNotPresent" ; + rdfs:comment "The software is not affected because the vulnerable component is not in the product."@en . + + a owl:NamedIndividual, + ns2:VexJustificationType ; + rdfs:label "inlineMitigationsAlreadyExist" ; + rdfs:comment "Built-in inline controls or mitigations prevent an adversary from leveraging the vulnerability."@en . + + a owl:NamedIndividual, + ns2:VexJustificationType ; + rdfs:label "vulnerableCodeCannotBeControlledByAdversary" ; + rdfs:comment "The vulnerable component is present, and the component contains the vulnerable code. However, vulnerable code is used in such a way that an attacker cannot mount any anticipated attack."@en . + + a owl:NamedIndividual, + ns2:VexJustificationType ; + rdfs:label "vulnerableCodeNotInExecutePath" ; + rdfs:comment "The affected code is not reachable through the execution of the code, including non-anticipated states of the product."@en . + + a owl:NamedIndividual, + ns2:VexJustificationType ; + rdfs:label "vulnerableCodeNotPresent" ; + rdfs:comment "The product is not affected because the code underlying the vulnerability is not present in the product."@en . + +ns2:actionStatement a owl:DatatypeProperty ; + rdfs:comment """Provides advise on how to mitigate or remediate a vulnerability when a VEX product +is affected by it."""@en ; + rdfs:range xsd:string . + +ns2:actionStatementTime a owl:DatatypeProperty ; + rdfs:comment """Records the time when a recommended action was communicated in a VEX statement +to mitigate a vulnerability."""@en ; + rdfs:range xsd:dateTimeStamp . + +ns2:assessedElement a owl:ObjectProperty ; + rdfs:comment """Specifies an Element contained in a piece of software where a vulnerability was +found."""@en ; + rdfs:range ns3:SoftwareArtifact . + +ns2:catalogType a owl:ObjectProperty ; + rdfs:comment "Specifies the exploit catalog type."@en ; + rdfs:range ns2:ExploitCatalogType . + +ns2:decisionType a owl:ObjectProperty ; + rdfs:comment """Provide the enumeration of possible decisions in the +[Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)."""@en ; + rdfs:range ns2:SsvcDecisionType . + +ns2:exploited a owl:DatatypeProperty ; + rdfs:comment "Describe that a CVE is known to have an exploit because it's been listed in an exploit catalog."@en ; + rdfs:range xsd:boolean . + +ns2:impactStatement a owl:DatatypeProperty ; + rdfs:comment """Explains why a VEX product is not affected by a vulnerability. It is an +alternative in VexNotAffectedVulnAssessmentRelationship to the machine-readable +justification label."""@en ; + rdfs:range xsd:string . + +ns2:impactStatementTime a owl:DatatypeProperty ; + rdfs:comment "Timestamp of impact statement."@en ; + rdfs:range xsd:dateTimeStamp . + +ns2:justificationType a owl:ObjectProperty ; + rdfs:comment """Impact justification label to be used when linking a vulnerability to an element +representing a VEX product with a VexNotAffectedVulnAssessmentRelationship +relationship."""@en ; + rdfs:range ns2:VexJustificationType . + +ns2:locator a owl:DatatypeProperty ; + rdfs:comment "Provides the location of an exploit catalog."@en ; + rdfs:range xsd:anyURI . + +ns2:percentile a owl:DatatypeProperty ; + rdfs:comment "The percentile of the current probability score."@en ; + rdfs:range xsd:decimal . + +ns2:probability a owl:DatatypeProperty ; + rdfs:comment "A probability score between 0 and 1 of a vulnerability being exploited."@en ; + rdfs:range xsd:decimal . + +ns2:statusNotes a owl:DatatypeProperty ; + rdfs:comment "Conveys information about how VEX status was determined."@en ; + rdfs:range xsd:string . + +ns2:vexVersion a owl:DatatypeProperty ; + rdfs:comment "Specifies the version of a VEX statement."@en ; + rdfs:range xsd:string . + + a owl:ObjectProperty ; + rdfs:comment """Maps a LicenseRef or AdditionRef string for a Custom License or a Custom +License Addition to its URI ID."""@en ; + rdfs:range ns1:DictionaryEntry . + + a owl:DatatypeProperty ; + rdfs:comment "A string in the license expression format."@en ; + rdfs:range xsd:string . + + a owl:DatatypeProperty ; + rdfs:comment "The version of the SPDX License List used in the license expression."@en ; + rdfs:range xsd:string . + + a owl:NamedIndividual, + ns3:ContentIdentifierType ; + rdfs:label "gitoid" ; + rdfs:comment "[Gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid), stands for [Git Object ID](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects). A gitoid of type blob is a unique hash of a binary artifact. A gitoid may represent either an [Artifact Identifier](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-identifier-types) for the software artifact or an [Input Manifest Identifier](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#input-manifest-identifier) for the software artifact's associated [Artifact Input Manifest](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-input-manifest); this ambiguity exists because the Artifact Input Manifest is itself an artifact, and the gitoid of that artifact is its valid identifier. Gitoids calculated on software artifacts (Snippet, File, or Package Elements) should be recorded in the SPDX 3.0 SoftwareArtifact's contentIdentifier property. Gitoids calculated on the Artifact Input Manifest (Input Manifest Identifier) should be recorded in the SPDX 3.0 Element's externalIdentifier property. See [OmniBOR Specification](https://github.com/omnibor/spec/), a minimalistic specification for describing software [Artifact Dependency Graphs](https://github.com/omnibor/spec/blob/eb1ee5c961c16215eb8709b2975d193a2007a35d/spec/SPEC.md#artifact-dependency-graph-adg)."@en . + + a owl:NamedIndividual, + ns3:ContentIdentifierType ; + rdfs:label "swhid" ; + rdfs:comment "SoftWare Hash IDentifier, a persistent intrinsic identifier for digital artifacts, such as files, trees (also known as directories or folders), commits, and other objects typically found in version control systems. The format of the identifiers is defined in the [SWHID specification](https://www.swhid.org/specification/v1.1/4.Syntax) (ISO/IEC DIS 18670). They typically look like `swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2`."@en . + + a owl:NamedIndividual, + ns3:FileKindType ; + rdfs:label "directory" ; + rdfs:comment "The file represents a directory and all content stored in that directory."@en . + + a owl:NamedIndividual, + ns3:FileKindType ; + rdfs:label "file" ; + rdfs:comment "The file represents a single file (default)."@en . + + a owl:NamedIndividual, + ns3:SbomType ; + rdfs:label "analyzed" ; + rdfs:comment "SBOM generated through analysis of artifacts (e.g., executables, packages, containers, and virtual machine images) after its build. Such analysis generally requires a variety of heuristics. In some contexts, this may also be referred to as a \"3rd party\" SBOM."@en . + + a owl:NamedIndividual, + ns3:SbomType ; + rdfs:label "build" ; + rdfs:comment "SBOM generated as part of the process of building the software to create a releasable artifact (e.g., executable or package) from data such as source files, dependencies, built components, build process ephemeral data, and other SBOMs."@en . + + a owl:NamedIndividual, + ns3:SbomType ; + rdfs:label "deployed" ; + rdfs:comment "SBOM provides an inventory of software that is present on a system. This may be an assembly of other SBOMs that combines analysis of configuration options, and examination of execution behavior in a (potentially simulated) deployment environment."@en . + + a owl:NamedIndividual, + ns3:SbomType ; + rdfs:label "design" ; + rdfs:comment "SBOM of intended, planned software project or product with included components (some of which may not yet exist) for a new software artifact."@en . + + a owl:NamedIndividual, + ns3:SbomType ; + rdfs:label "runtime" ; + rdfs:comment "SBOM generated through instrumenting the system running the software, to capture only components present in the system, as well as external call-outs or dynamically loaded components. In some contexts, this may also be referred to as an \"Instrumented\" or \"Dynamic\" SBOM."@en . + + a owl:NamedIndividual, + ns3:SbomType ; + rdfs:label "source" ; + rdfs:comment "SBOM created directly from the development environment, source files, and included dependencies used to build an product artifact."@en . + +ns3:additionalPurpose a owl:ObjectProperty ; + rdfs:comment "Provides additional purpose information of the software artifact."@en ; + rdfs:range ns3:SoftwarePurpose . + +ns3:attributionText a owl:DatatypeProperty ; + rdfs:comment """Provides a place for the SPDX data creator to record acknowledgement text for +a software Package, File or Snippet."""@en ; + rdfs:range xsd:string . + +ns3:byteRange a owl:DatatypeProperty ; + rdfs:comment """Defines the byte range in the original host file that the snippet information +applies to."""@en ; + rdfs:range ns1:PositiveIntegerRange . + +ns3:contentIdentifier a owl:DatatypeProperty ; + rdfs:comment """A canonical, unique, immutable identifier of the artifact content, that may be +used for verifying its identity and/or integrity."""@en ; + rdfs:range ns3:ContentIdentifier . + +ns3:contentIdentifierType a owl:ObjectProperty ; + rdfs:comment "Specifies the type of the content identifier."@en ; + rdfs:range ns3:ContentIdentifierType . + +ns3:contentIdentifierValue a owl:DatatypeProperty ; + rdfs:comment "Specifies the value of the content identifier."@en ; + rdfs:range xsd:anyURI . + +ns3:copyrightText a owl:DatatypeProperty ; + rdfs:comment """Identifies the text of one or more copyright notices for a software Package, +File or Snippet, if any."""@en ; + rdfs:range xsd:string . + +ns3:downloadLocation a owl:DatatypeProperty ; + rdfs:comment """Identifies the download Uniform Resource Identifier for the package at the time +that the document was created."""@en ; + rdfs:range xsd:anyURI . + +ns3:fileKind a owl:ObjectProperty ; + rdfs:comment "Describes if a given file is a directory or non-directory kind of file."@en ; + rdfs:range ns3:FileKindType . + +ns3:homePage a owl:DatatypeProperty ; + rdfs:comment """A place for the SPDX document creator to record a website that serves as the +package's home page."""@en ; + rdfs:range xsd:anyURI . + +ns3:lineRange a owl:DatatypeProperty ; + rdfs:comment """Defines the line range in the original host file that the snippet information +applies to."""@en ; + rdfs:range ns1:PositiveIntegerRange . + +ns3:packageUrl a owl:DatatypeProperty ; + rdfs:comment """Provides a place for the SPDX data creator to record the package URL string +(in accordance with the Package URL specification) for a software Package."""@en ; + rdfs:range xsd:anyURI . + +ns3:packageVersion a owl:DatatypeProperty ; + rdfs:comment "Identify the version of a package."@en ; + rdfs:range xsd:string . + +ns3:primaryPurpose a owl:ObjectProperty ; + rdfs:comment "Provides information about the primary purpose of the software artifact."@en ; + rdfs:range ns3:SoftwarePurpose . + +ns3:sbomType a owl:ObjectProperty ; + rdfs:comment "Provides information about the type of an SBOM."@en ; + rdfs:range ns3:SbomType . + +ns3:snippetFromFile a owl:ObjectProperty ; + rdfs:comment "Defines the original host file that the snippet information applies to."@en ; + rdfs:range ns3:File . + +ns3:sourceInfo a owl:DatatypeProperty ; + rdfs:comment """Records any relevant background information or additional comments +about the origin of the package."""@en ; + rdfs:range xsd:string . + +ns5:EnergyConsumption a owl:Class, + sh:NodeShape ; + rdfs:comment """A class for describing the energy consumption incurred by an AI model in +different stages of its lifecycle."""@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:class ns5:EnergyConsumptionDescription ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns5:inferenceEnergyConsumption ], + [ sh:class ns5:EnergyConsumptionDescription ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns5:trainingEnergyConsumption ], + [ sh:class ns5:EnergyConsumptionDescription ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns5:finetuningEnergyConsumption ] . + +ns1:ExternalIdentifier a owl:Class, + sh:NodeShape ; + rdfs:comment "A reference to a resource identifier defined outside the scope of SPDX-3.0 content that uniquely identifies an Element."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:identifier ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:issuingAuthority ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:comment ], + [ sh:datatype xsd:anyURI ; + sh:nodeKind sh:Literal ; + sh:path ns1:identifierLocator ], + [ sh:class ns1:ExternalIdentifierType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:externalIdentifierType ] . + +ns1:ExternalMap a owl:Class, + sh:NodeShape ; + rdfs:comment """A map of Element identifiers that are used within an SpdxDocument but defined +external to that SpdxDocument."""@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:externalSpdxId ], + [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:locationHint ], + [ sh:class ns1:IntegrityMethod ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns1:verifiedUsing ], + [ sh:class ns1:Artifact ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:definingArtifact ] . + +ns1:ExternalRef a owl:Class, + sh:NodeShape ; + rdfs:comment "A reference to a resource outside the scope of SPDX-3.0 content related to an Element."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns1:locator ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:contentType ; + sh:pattern "^[^\\/]+\\/[^\\/]+$" ], + [ sh:class ns1:ExternalRefType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:externalRefType ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:comment ] . + +ns1:Hash a owl:Class, + sh:NodeShape ; + rdfs:comment "A mathematically calculated representation of a grouping of data."@en ; + rdfs:subClassOf ns1:IntegrityMethod ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:hashValue ], + [ sh:class ns1:HashAlgorithm ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:algorithm ] . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "adler32" ; + rdfs:comment "Adler-32 checksum is part of the widely used zlib compression library as defined in [RFC 1950](https://datatracker.ietf.org/doc/rfc1950/) Section 2.3."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "blake2b256" ; + rdfs:comment "BLAKE2b algorithm with a digest size of 256, as defined in [RFC 7693](https://datatracker.ietf.org/doc/rfc7693/) Section 4."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "blake2b384" ; + rdfs:comment "BLAKE2b algorithm with a digest size of 384, as defined in [RFC 7693](https://datatracker.ietf.org/doc/rfc7693/) Section 4."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "blake2b512" ; + rdfs:comment "BLAKE2b algorithm with a digest size of 512, as defined in [RFC 7693](https://datatracker.ietf.org/doc/rfc7693/) Section 4."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "blake3" ; + rdfs:comment "[BLAKE3](https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf)"@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "crystalsDilithium" ; + rdfs:comment "[Dilithium](https://pq-crystals.org/dilithium/)"@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "crystalsKyber" ; + rdfs:comment "[Kyber](https://pq-crystals.org/kyber/)"@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "falcon" ; + rdfs:comment "[FALCON](https://falcon-sign.info/falcon.pdf)"@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "md2" ; + rdfs:comment "MD2 message-digest algorithm, as defined in [RFC 1319](https://datatracker.ietf.org/doc/rfc1319/)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "md4" ; + rdfs:comment "MD4 message-digest algorithm, as defined in [RFC 1186](https://datatracker.ietf.org/doc/rfc1186/)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "md5" ; + rdfs:comment "MD5 message-digest algorithm, as defined in [RFC 1321](https://datatracker.ietf.org/doc/rfc1321/)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "md6" ; + rdfs:comment "[MD6 hash function](https://people.csail.mit.edu/rivest/pubs/RABCx08.pdf)"@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "other" ; + rdfs:comment "any hashing algorithm that does not exist in this list of entries"@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha1" ; + rdfs:comment "SHA-1, a secure hashing algorithm, as defined in [RFC 3174](https://datatracker.ietf.org/doc/rfc3174/)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha224" ; + rdfs:comment "SHA-2 with a digest length of 224, as defined in [RFC 3874](https://datatracker.ietf.org/doc/rfc3874/)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha256" ; + rdfs:comment "SHA-2 with a digest length of 256, as defined in [RFC 6234](https://datatracker.ietf.org/doc/rfc6234/)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha384" ; + rdfs:comment "SHA-2 with a digest length of 384, as defined in [RFC 6234](https://datatracker.ietf.org/doc/rfc6234/)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha3_224" ; + rdfs:comment "SHA-3 with a digest length of 224, as defined in [FIPS 202](https://csrc.nist.gov/pubs/fips/202/final)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha3_256" ; + rdfs:comment "SHA-3 with a digest length of 256, as defined in [FIPS 202](https://csrc.nist.gov/pubs/fips/202/final)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha3_384" ; + rdfs:comment "SHA-3 with a digest length of 384, as defined in [FIPS 202](https://csrc.nist.gov/pubs/fips/202/final)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha3_512" ; + rdfs:comment "SHA-3 with a digest length of 512, as defined in [FIPS 202](https://csrc.nist.gov/pubs/fips/202/final)."@en . + + a owl:NamedIndividual, + ns1:HashAlgorithm ; + rdfs:label "sha512" ; + rdfs:comment "SHA-2 with a digest length of 512, as defined in [RFC 6234](https://datatracker.ietf.org/doc/rfc6234/)."@en . + +ns1:IndividualElement a owl:Class ; + rdfs:comment """A concrete subclass of Element used by Individuals in the +Core profile."""@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI . + +ns1:NamespaceMap a owl:Class, + sh:NodeShape ; + rdfs:comment "A mapping between prefixes and namespace partial URIs."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:namespace ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:prefix ] . + +ns1:Relationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Describes a relationship between one or more elements."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns1:RelationshipCompleteness ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:completeness ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:endTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:class ns1:Element ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:to ], + [ sh:class ns1:Element ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:from ], + [ sh:class ns1:RelationshipType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:relationshipType ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:startTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ] . + +ns1:Tool a owl:Class ; + rdfs:comment "An element of hardware and/or software utilized to carry out a particular function."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI . + +ns1:algorithm a owl:ObjectProperty ; + rdfs:comment "Specifies the algorithm used for calculating the hash value."@en ; + rdfs:range ns1:HashAlgorithm . + +ns1:hashValue a owl:DatatypeProperty ; + rdfs:comment "The result of applying a hash algorithm to an Element."@en ; + rdfs:range xsd:string . + +ns1:suppliedBy a owl:ObjectProperty ; + rdfs:comment """Identifies who or what supplied the artifact or VulnAssessmentRelationship +referenced by the Element."""@en ; + rdfs:range ns1:Agent . + +ns1:verifiedUsing a owl:ObjectProperty ; + rdfs:comment """Provides an IntegrityMethod with which the integrity of an Element can be +asserted."""@en ; + rdfs:range ns1:IntegrityMethod . + +ns6:IndividualLicensingInfo a owl:Class ; + rdfs:comment """A concrete subclass of AnyLicenseInfo used by Individuals in the +ExpandedLicensing profile."""@en ; + rdfs:subClassOf ; + sh:nodeKind sh:IRI . + +ns6:deprecatedVersion a owl:DatatypeProperty ; + rdfs:comment """Specifies the SPDX License List version in which this license or exception +identifier was deprecated."""@en ; + rdfs:range xsd:string . + +ns6:licenseXml a owl:DatatypeProperty ; + rdfs:comment """Identifies all the text and metadata associated with a license in the license +XML format."""@en ; + rdfs:range xsd:string . + +ns6:listVersionAdded a owl:DatatypeProperty ; + rdfs:comment """Specifies the SPDX License List version in which this ListedLicense or +ListedLicenseException identifier was first added."""@en ; + rdfs:range xsd:string . + +ns6:member a owl:ObjectProperty ; + rdfs:comment "A license expression participating in a license set."@en ; + rdfs:range . + +ns6:obsoletedBy a owl:DatatypeProperty ; + rdfs:comment """Specifies the licenseId that is preferred to be used in place of a deprecated +License or LicenseAddition."""@en ; + rdfs:range xsd:string . + +ns6:seeAlso a owl:DatatypeProperty ; + rdfs:comment "Contains a URL where the License or LicenseAddition can be found in use."@en ; + rdfs:range xsd:anyURI . + + a owl:Class, + sh:NodeShape ; + rdfs:comment "A property name with an associated value."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ] . + + a owl:NamedIndividual, + ns2:CvssSeverityType ; + rdfs:label "critical" ; + rdfs:comment "When a CVSS score is between 9.0 - 10.0"@en . + + a owl:NamedIndividual, + ns2:CvssSeverityType ; + rdfs:label "high" ; + rdfs:comment "When a CVSS score is between 7.0 - 8.9"@en . + + a owl:NamedIndividual, + ns2:CvssSeverityType ; + rdfs:label "low" ; + rdfs:comment "When a CVSS score is between 0.1 - 3.9"@en . + + a owl:NamedIndividual, + ns2:CvssSeverityType ; + rdfs:label "medium" ; + rdfs:comment "When a CVSS score is between 4.0 - 6.9"@en . + + a owl:NamedIndividual, + ns2:CvssSeverityType ; + rdfs:label "none" ; + rdfs:comment "When a CVSS score is 0.0"@en . + +ns2:modifiedTime a owl:DatatypeProperty ; + rdfs:comment "Specifies a time when a vulnerability assessment was modified"@en ; + rdfs:range xsd:dateTimeStamp . + +ns2:publishedTime a owl:DatatypeProperty ; + rdfs:comment "Specifies the time when a vulnerability was published."@en ; + rdfs:range xsd:dateTimeStamp . + +ns2:severity a owl:ObjectProperty ; + rdfs:comment "Specifies the CVSS qualitative severity rating of a vulnerability in relation to a piece of software."@en ; + rdfs:range ns2:CvssSeverityType . + +ns2:withdrawnTime a owl:DatatypeProperty ; + rdfs:comment "Specified the time and date when a vulnerability was withdrawn."@en ; + rdfs:range xsd:dateTimeStamp . + + a owl:DatatypeProperty ; + rdfs:comment "Identifies the full text of a License or Addition."@en ; + rdfs:range xsd:string . + +ns3:ContentIdentifier a owl:Class, + sh:NodeShape ; + rdfs:comment "A canonical, unique, immutable identifier"@en ; + rdfs:subClassOf ns1:IntegrityMethod ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:class ns3:ContentIdentifierType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns3:contentIdentifierType ], + [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns3:contentIdentifierValue ] . + +ns3:File a owl:Class, + sh:NodeShape ; + rdfs:comment "Refers to any object that stores content on a computer."@en ; + rdfs:subClassOf ns3:SoftwareArtifact ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:contentType ; + sh:pattern "^[^\\/]+\\/[^\\/]+$" ], + [ sh:class ns3:FileKindType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns3:fileKind ] . + +ns3:Package a owl:Class, + sh:NodeShape ; + rdfs:comment """Refers to any unit of content that can be associated with a distribution of +software."""@en ; + rdfs:subClassOf ns3:SoftwareArtifact ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns3:sourceInfo ], + [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns3:homePage ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns3:packageVersion ], + [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns3:packageUrl ], + [ sh:datatype xsd:anyURI ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns3:downloadLocation ] . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "application" ; + rdfs:comment "The Element is a software application."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "archive" ; + rdfs:comment "The Element is an archived collection of one or more files (.tar, .zip, etc.)."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "bom" ; + rdfs:comment "The Element is a bill of materials."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "configuration" ; + rdfs:comment "The Element is configuration data."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "container" ; + rdfs:comment "The Element is a container image which can be used by a container runtime application."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "data" ; + rdfs:comment "The Element is data."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "device" ; + rdfs:comment "The Element refers to a chipset, processor, or electronic board."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "deviceDriver" ; + rdfs:comment "The Element represents software that controls hardware devices."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "diskImage" ; + rdfs:comment "The Element refers to a disk image that can be written to a disk, booted in a VM, etc. A disk image typically contains most or all of the components necessary to boot, such as bootloaders, kernels, firmware, userspace, etc."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "documentation" ; + rdfs:comment "The Element is documentation."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "evidence" ; + rdfs:comment "The Element is the evidence that a specification or requirement has been fulfilled."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "executable" ; + rdfs:comment "The Element is an Artifact that can be run on a computer."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "file" ; + rdfs:comment "The Element is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc.)."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "filesystemImage" ; + rdfs:comment "The Element is a file system image that can be written to a disk (or virtual) partition."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "firmware" ; + rdfs:comment "The Element provides low level control over a device's hardware."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "framework" ; + rdfs:comment "The Element is a software framework."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "install" ; + rdfs:comment "The Element is used to install software on disk."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "library" ; + rdfs:comment "The Element is a software library."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "manifest" ; + rdfs:comment "The Element is a software manifest."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "model" ; + rdfs:comment "The Element is a machine learning or artificial intelligence model."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "module" ; + rdfs:comment "The Element is a module of a piece of software."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "operatingSystem" ; + rdfs:comment "The Element is an operating system."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "other" ; + rdfs:comment "The Element doesn't fit into any of the other categories."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "patch" ; + rdfs:comment "The Element contains a set of changes to update, fix, or improve another Element."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "platform" ; + rdfs:comment "The Element represents a runtime environment."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "requirement" ; + rdfs:comment "The Element provides a requirement needed as input for another Element."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "source" ; + rdfs:comment "The Element is a single or a collection of source files."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "specification" ; + rdfs:comment "The Element is a plan, guideline or strategy how to create, perform or analyze an application."@en . + + a owl:NamedIndividual, + ns3:SoftwarePurpose ; + rdfs:label "test" ; + rdfs:comment "The Element is a test used to verify functionality on an software element."@en . + +ns1:ElementCollection a owl:Class, + sh:NodeShape ; + rdfs:comment "A collection of Elements, not necessarily with unifying context."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns1:Element ; + sh:nodeKind sh:IRI ; + sh:path ns1:element ], + [ sh:class ns1:Element ; + sh:nodeKind sh:IRI ; + sh:path ns1:rootElement ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/Core/ElementCollection is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns1:ElementCollection ] ; + sh:path rdf:type ], + [ sh:class ns1:ProfileIdentifierType ; + sh:in ( ) ; + sh:nodeKind sh:IRI ; + sh:path ns1:profileConformance ] . + + a owl:NamedIndividual, + ns1:PresenceType ; + rdfs:label "no" ; + rdfs:comment "Indicates absence of the field."@en . + + a owl:NamedIndividual, + ns1:PresenceType ; + rdfs:label "noAssertion" ; + rdfs:comment "Makes no assertion about the field."@en . + + a owl:NamedIndividual, + ns1:PresenceType ; + rdfs:label "yes" ; + rdfs:comment "Indicates presence of the field."@en . + +ns1:contentType a owl:DatatypeProperty ; + rdfs:comment "Provides information about the content type of an Element or a Property."@en ; + rdfs:range xsd:string . + +ns2:score a owl:DatatypeProperty ; + rdfs:comment "Provides a numerical (0-10) representation of the severity of a vulnerability."@en ; + rdfs:range xsd:decimal . + +ns2:vectorString a owl:DatatypeProperty ; + rdfs:comment "Specifies the CVSS vector string for a vulnerability."@en ; + rdfs:range xsd:string . + +ns1:AnnotationType a owl:Class ; + rdfs:comment "Specifies the type of an annotation."@en . + +ns1:PositiveIntegerRange a owl:Class, + sh:NodeShape ; + rdfs:comment "A tuple of two positive integers that define a range."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:positiveInteger ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:endIntegerRange ], + [ sh:datatype xsd:positiveInteger ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:beginIntegerRange ] . + + a owl:Class ; + rdfs:comment "A characterization of some aspect of an Element that is associated with the Element in a generalized fashion."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:message "https://spdx.org/rdf/3.0.1/terms/Extension/Extension is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ] ; + sh:path rdf:type ] . + +ns2:ExploitCatalogType a owl:Class ; + rdfs:comment "Specifies the exploit catalog type."@en . + +ns3:ContentIdentifierType a owl:Class ; + rdfs:comment "Specifies the type of a content identifier."@en . + +ns3:FileKindType a owl:Class ; + rdfs:comment "Enumeration of the different kinds of SPDX file."@en . + +ns5:EnergyUnitType a owl:Class ; + rdfs:comment "Specifies the unit of energy consumption."@en . + +ns1:Artifact a owl:Class, + sh:NodeShape ; + rdfs:comment "A distinct article or unit within the digital domain."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns1:standardName ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:builtTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:releaseTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:class ns1:SupportType ; + sh:in ( ) ; + sh:nodeKind sh:IRI ; + sh:path ns1:supportLevel ], + [ sh:class ns1:Agent ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:suppliedBy ], + [ sh:class ns1:Agent ; + sh:nodeKind sh:IRI ; + sh:path ns1:originatedBy ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/Core/Artifact is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns1:Artifact ] ; + sh:path rdf:type ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:validUntilTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ] . + +ns1:RelationshipCompleteness a owl:Class ; + rdfs:comment "Indicates whether a relationship is known to be complete, incomplete, or if no assertion is made with respect to relationship completeness."@en . + +ns1:SpdxOrganization a owl:NamedIndividual, + ns1:Organization ; + rdfs:comment "An Organization representing the SPDX Project."@en ; + owl:sameAs ; + ns1:creationInfo . + +ns1:comment a owl:DatatypeProperty ; + rdfs:comment """Provide consumers with comments by the creator of the Element about the +Element."""@en ; + rdfs:range xsd:string . + +ns6:ExtendableLicense a owl:Class ; + rdfs:comment "Abstract class representing a License or an OrLaterOperator."@en ; + rdfs:subClassOf ; + sh:nodeKind sh:IRI ; + sh:property [ sh:message "https://spdx.org/rdf/3.0.1/terms/ExpandedLicensing/ExtendableLicense is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns6:ExtendableLicense ] ; + sh:path rdf:type ] . + +ns6:License a owl:Class, + sh:NodeShape ; + rdfs:comment "Abstract class for the portion of an AnyLicenseInfo representing a license."@en ; + rdfs:subClassOf ns6:ExtendableLicense ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:anyURI ; + sh:nodeKind sh:Literal ; + sh:path ns6:seeAlso ], + [ sh:datatype xsd:boolean ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:isDeprecatedLicenseId ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:obsoletedBy ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:standardLicenseHeader ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ], + [ sh:datatype xsd:boolean ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:isOsiApproved ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:licenseXml ], + [ sh:datatype xsd:boolean ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:isFsfLibre ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:standardLicenseTemplate ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/ExpandedLicensing/License is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns6:License ] ; + sh:path rdf:type ] . + +ns6:LicenseAddition a owl:Class, + sh:NodeShape ; + rdfs:comment """Abstract class for additional text intended to be added to a License, but +which is not itself a standalone License."""@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:additionText ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:obsoletedBy ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:licenseXml ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/ExpandedLicensing/LicenseAddition is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns6:LicenseAddition ] ; + sh:path rdf:type ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:standardAdditionTemplate ], + [ sh:datatype xsd:anyURI ; + sh:nodeKind sh:Literal ; + sh:path ns6:seeAlso ], + [ sh:datatype xsd:boolean ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns6:isDeprecatedAdditionId ] . + +ns2:VexVulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Abstract ancestor class for all VEX relationships"@en ; + rdfs:subClassOf ns2:VulnAssessmentRelationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:statusNotes ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/Security/VexVulnAssessmentRelationship is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns2:VexVulnAssessmentRelationship ] ; + sh:path rdf:type ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:vexVersion ] . + +ns5:EnergyConsumptionDescription a owl:Class, + sh:NodeShape ; + rdfs:comment """The class that helps note down the quantity of energy consumption and the unit +used for measurement."""@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:decimal ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns5:energyQuantity ], + [ sh:class ns5:EnergyUnitType ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns5:energyUnit ] . + +ns5:SafetyRiskAssessmentType a owl:Class ; + rdfs:comment "Specifies the safety risk level."@en . + +ns4:ConfidentialityLevelType a owl:Class ; + rdfs:comment "Categories of confidentiality level."@en . + +ns2:SsvcDecisionType a owl:Class ; + rdfs:comment "Specifies the SSVC decision type."@en . + +ns3:SoftwareArtifact a owl:Class, + sh:NodeShape ; + rdfs:comment "A distinct article or unit related to Software."@en ; + rdfs:subClassOf ns1:Artifact ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns3:ContentIdentifier ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns3:contentIdentifier ], + [ sh:datatype xsd:string ; + sh:nodeKind sh:Literal ; + sh:path ns3:attributionText ], + [ sh:class ns3:SoftwarePurpose ; + sh:in ( ) ; + sh:nodeKind sh:IRI ; + sh:path ns3:additionalPurpose ], + [ sh:class ns3:SoftwarePurpose ; + sh:in ( ) ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns3:primaryPurpose ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns3:copyrightText ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/Software/SoftwareArtifact is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns3:SoftwareArtifact ] ; + sh:path rdf:type ] . + +ns1:CreationInfo a owl:Class, + sh:NodeShape ; + rdfs:comment "Provides information about the creation of the Element."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:specVersion ; + sh:pattern "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:created ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:class ns1:Tool ; + sh:nodeKind sh:IRI ; + sh:path ns1:createdUsing ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:comment ], + [ sh:class ns1:Agent ; + sh:minCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:createdBy ] . + +ns1:IntegrityMethod a owl:Class, + sh:NodeShape ; + rdfs:comment "Provides an independently reproducible mechanism that permits verification of a specific Element."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:comment ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/Core/IntegrityMethod is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns1:IntegrityMethod ] ; + sh:path rdf:type ] . + +ns4:DatasetAvailabilityType a owl:Class ; + rdfs:comment "Availability of dataset."@en . + +ns2:VexJustificationType a owl:Class ; + rdfs:comment "Specifies the VEX justification type."@en . + +ns1:LifecycleScopeType a owl:Class ; + rdfs:comment "Provide an enumerated set of lifecycle phases that can provide context to relationships."@en . + +ns2:CvssSeverityType a owl:Class ; + rdfs:comment "Specifies the CVSS base, temporal, threat, or environmental severity type."@en . + +ns2:VulnAssessmentRelationship a owl:Class, + sh:NodeShape ; + rdfs:comment "Abstract ancestor class for all vulnerability assessments"@en ; + rdfs:subClassOf ns1:Relationship ; + sh:nodeKind sh:IRI ; + sh:property [ sh:class ns1:Agent ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns1:suppliedBy ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:withdrawnTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:class ns3:SoftwareArtifact ; + sh:maxCount 1 ; + sh:nodeKind sh:IRI ; + sh:path ns2:assessedElement ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:publishedTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/Security/VulnAssessmentRelationship is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns2:VulnAssessmentRelationship ] ; + sh:path rdf:type ], + [ sh:datatype xsd:dateTimeStamp ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns2:modifiedTime ; + sh:pattern "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\dZ$" ] . + +ns3:SbomType a owl:Class ; + rdfs:comment """Provides a set of values to be used to describe the common types of SBOMs that +tools may create."""@en . + +ns1:PresenceType a owl:Class ; + rdfs:comment "Categories of presence or absence."@en . + +ns1:SupportType a owl:Class ; + rdfs:comment "Indicates the type of support that is associated with an artifact."@en . + +ns1:Agent a owl:Class ; + rdfs:comment "Agent represents anything with the potential to act on a system."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI . + +ns1:ProfileIdentifierType a owl:Class ; + rdfs:comment "Enumeration of the valid profiles."@en . + + a owl:Class ; + rdfs:comment "Abstract class representing a license combination consisting of one or more licenses."@en ; + rdfs:subClassOf ns1:Element ; + sh:nodeKind sh:IRI ; + sh:property [ sh:message "https://spdx.org/rdf/3.0.1/terms/SimpleLicensing/AnyLicenseInfo is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ] ; + sh:path rdf:type ] . + +ns1:ExternalIdentifierType a owl:Class ; + rdfs:comment "Specifies the type of an external identifier."@en . + +ns1:DictionaryEntry a owl:Class, + sh:NodeShape ; + rdfs:comment "A key with an associated value."@en ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:value ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:key ] . + +ns4:DatasetType a owl:Class ; + rdfs:comment "Enumeration of dataset types."@en . + +ns1:Element a owl:Class, + sh:NodeShape ; + rdfs:comment "Base domain class from which all other SPDX-3.0 domain classes derive."@en ; + sh:nodeKind sh:IRI ; + sh:property [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:description ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:comment ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:name ], + [ sh:class ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns1:extension ], + [ sh:class ns1:CreationInfo ; + sh:maxCount 1 ; + sh:minCount 1 ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns1:creationInfo ], + [ sh:class ns1:ExternalIdentifier ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns1:externalIdentifier ], + [ sh:class ns1:ExternalRef ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns1:externalRef ], + [ sh:datatype xsd:string ; + sh:maxCount 1 ; + sh:nodeKind sh:Literal ; + sh:path ns1:summary ], + [ sh:message "https://spdx.org/rdf/3.0.1/terms/Core/Element is an abstract class and should not be instantiated directly. Instantiate a subclass instead."@en ; + sh:not [ sh:hasValue ns1:Element ] ; + sh:path rdf:type ], + [ sh:class ns1:IntegrityMethod ; + sh:nodeKind sh:BlankNodeOrIRI ; + sh:path ns1:verifiedUsing ] . + +ns1:HashAlgorithm a owl:Class ; + rdfs:comment "A mathematical algorithm that maps data of arbitrary size to a bit string."@en . + +ns3:SoftwarePurpose a owl:Class ; + rdfs:comment "Provides information about the primary purpose of an Element."@en . + +ns1:ExternalRefType a owl:Class ; + rdfs:comment "Specifies the type of an external reference."@en . + +ns1:RelationshipType a owl:Class ; + rdfs:comment "Information about the relationship between two Elements."@en . diff --git a/src/main/java/org/spdx/tools/Verify.java b/src/main/java/org/spdx/tools/Verify.java index 80b4f75..68eda3a 100644 --- a/src/main/java/org/spdx/tools/Verify.java +++ b/src/main/java/org/spdx/tools/Verify.java @@ -29,6 +29,14 @@ import com.fasterxml.jackson.core.JsonParseException; +import org.apache.jena.graph.Graph; +import org.apache.jena.rdf.model.Model; +import org.apache.jena.rdf.model.ModelFactory; +import org.apache.jena.riot.Lang; +import org.apache.jena.riot.RDFDataMgr; +import org.apache.jena.shacl.ShaclValidator; +import org.apache.jena.shacl.ValidationReport; +import org.apache.jena.shacl.validation.ReportEntry; import org.spdx.core.CoreModelObject; import org.spdx.core.InvalidSPDXAnalysisException; import org.spdx.library.model.v2.Version; @@ -56,6 +64,7 @@ public class Verify { public static final String JSON_SCHEMA_RESOURCE_V2_3 = "resources/spdx-schema-v2.3.json"; public static final String JSON_SCHEMA_RESOURCE_V2_2 = "resources/spdx-schema-v2.2.json"; public static final String JSON_SCHEMA_RESOURCE_V3 = "resources/spdx-schema-v3.0.1.json"; + public static final String SHACL_MODEL_RESOURCE_V3 = "resources/spdx-shacl-v3.0.1.ttl"; static final ObjectMapper JSON_MAPPER = new ObjectMapper().enable(SerializationFeature.INDENT_OUTPUT); @@ -192,6 +201,19 @@ public static List verify(String filePath, SerFileType fileType) throws } } if (SerFileType.JSONLD.equals(fileType)) { + Model shaclModel = ModelFactory.createDefaultModel(); + try (InputStream is = Verify.class.getResourceAsStream("/" + SHACL_MODEL_RESOURCE_V3)) { + RDFDataMgr.read(shaclModel, is, Lang.TURTLE); + } catch (IOException e) { + retval.add("Unable to validate JSON file against schema due to I/O Error reading the SHACL file"); + } + Graph dataGraph = RDFDataMgr.loadGraph(file.getPath(), Lang.JSONLD); + ValidationReport report = ShaclValidator.get().validate(shaclModel.getGraph(), dataGraph); + if (!report.conforms()) { + for (ReportEntry entry : report.getEntries()) { + retval.add(entry.toString()); + } + } //TODO: Implement verification against the OWL schema } List verify;