unplugged-system/external/spdx-tools/examples/sample-docs/yaml/SPDXYAMLExample-2.3.spdx.yaml

SPDXID: SPDXRef-DOCUMENT
annotations:
- annotationDate: "2010-01-29T18:30:22Z"
  annotationType: OTHER
  annotator: 'Person: Jane Doe ()'
  comment: Document level annotation
- annotationDate: "2010-02-10T00:00:00Z"
  annotationType: REVIEW
  annotator: 'Person: Joe Reviewer'
  comment: This is just an example.  Some of the non-standard licenses look like they
    are actually BSD 3 clause licenses
- annotationDate: "2011-03-13T00:00:00Z"
  annotationType: REVIEW
  annotator: 'Person: Suzanne Reviewer'
  comment: Another example reviewer.
comment: This document was created using SPDX 2.0 using licenses from the web site.
creationInfo:
  comment: |-
    This package has been shipped in source and binary form.
    The binaries were created with gcc 4.5.1 and expect to link to
    compatible system run time libraries.
  created: "2010-01-29T18:30:22Z"
  creators:
  - 'Tool: LicenseFind-1.0'
  - 'Organization: ExampleCodeInspect ()'
  - 'Person: Jane Doe ()'
  licenseListVersion: "3.9"
dataLicense: CC0-1.0
documentNamespace: http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
externalDocumentRefs:
- checksum:
    algorithm: SHA1
    checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759
  externalDocumentId: DocumentRef-spdx-tool-1.2
  spdxDocument: http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301
files:
- SPDXID: SPDXRef-DoapSource
  checksums:
  - algorithm: SHA1
    checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
  copyrightText: Copyright 2010, 2011 Source Auditor Inc.
  fileContributors:
  - Protecode Inc.
  - SPDX Technical Team Members
  - Open Logic Inc.
  - Source Auditor Inc.
  - Black Duck Software In.c
  fileName: ./src/org/spdx/parser/DOAPProject.java
  fileTypes:
  - SOURCE
  licenseConcluded: Apache-2.0
  licenseInfoInFiles:
  - Apache-2.0
- SPDXID: SPDXRef-CommonsLangSrc
  checksums:
  - algorithm: SHA1
    checksumValue: c2b4e1c67a2d28fced849ee1bb76e7391b93f125
  comment: This file is used by Jena
  copyrightText: Copyright 2001-2011 The Apache Software Foundation
  fileContributors:
  - Apache Software Foundation
  fileName: ./lib-source/commons-lang3-3.1-sources.jar
  fileTypes:
  - ARCHIVE
  licenseConcluded: Apache-2.0
  licenseInfoInFiles:
  - Apache-2.0
  noticeText: |-
    Apache Commons Lang
    Copyright 2001-2011 The Apache Software Foundation

    This product includes software developed by
    The Apache Software Foundation (http://www.apache.org/).

    This product includes software from the Spring Framework,
    under the Apache License 2.0 (see: StringUtils.containsWhitespace())
- SPDXID: SPDXRef-JenaLib
  checksums:
  - algorithm: SHA1
    checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125
  comment: This file belongs to Jena
  copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
    2009 Hewlett-Packard Development Company, LP
  fileContributors:
  - Apache Software Foundation
  - Hewlett Packard Inc.
  fileName: ./lib-source/jena-2.6.3-sources.jar
  fileTypes:
  - ARCHIVE
  licenseComments: This license is used by Jena
  licenseConcluded: LicenseRef-1
  licenseInfoInFiles:
  - LicenseRef-1
- SPDXID: SPDXRef-File
  annotations:
  - annotationDate: "2011-01-29T18:30:22Z"
    annotationType: OTHER
    annotator: 'Person: File Commenter'
    comment: File level annotation
  checksums:
  - algorithm: SHA1
    checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2758
  - algorithm: MD5
    checksumValue: 624c1abb3664f4b35547e7c73864ad24
  comment: |-
    The concluded license was taken from the package level that the file was included in.
    This information was found in the COPYING.txt file in the xyz directory.
  copyrightText: Copyright 2008-2010 John Smith
  fileContributors:
  - The Regents of the University of California
  - Modified by Paul Mundt lethal@linux-sh.org
  - IBM Corporation
  fileName: ./package/foo.c
  fileTypes:
  - SOURCE
  licenseComments: The concluded license was taken from the package level that the
    file was included in.
  licenseConcluded: (LGPL-2.0-only OR LicenseRef-2)
  licenseInfoInFiles:
  - GPL-2.0-only
  - LicenseRef-2
  noticeText: "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is
    hereby granted, free of charge, to any person obtaining a copy of this software
    and associated documentation files (the <20>Software<72>), to deal in the Software without
    restriction, including without limitation the rights to use, copy, modify, merge,
    publish, distribute, sublicense, and/or sell copies of the Software, and to permit
    persons to whom the Software is furnished to do so, subject to the following conditions:
    \nThe above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED <20>AS
    IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
    TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
    \ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
    DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
    ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
    IN THE SOFTWARE."
hasExtractedLicensingInfos:
- extractedText: |-
    /*
     * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP
     * All rights reserved.
     *
     * Redistribution and use in source and binary forms, with or without
     * modification, are permitted provided that the following conditions
     * are met:
     * 1. Redistributions of source code must retain the above copyright
     *    notice, this list of conditions and the following disclaimer.
     * 2. Redistributions in binary form must reproduce the above copyright
     *    notice, this list of conditions and the following disclaimer in the
     *    documentation and/or other materials provided with the distribution.
     * 3. The name of the author may not be used to endorse or promote products
     *    derived from this software without specific prior written permission.
     *
     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    */
  licenseId: LicenseRef-1
- extractedText: "This package includes the GRDDL parser developed by Hewlett Packard
    under the following license:\n<> Copyright 2007 Hewlett-Packard Development Company,
    LP\n\nRedistribution and use in source and binary forms, with or without modification,
    are permitted provided that the following conditions are met: \n\nRedistributions
    of source code must retain the above copyright notice, this list of conditions
    and the following disclaimer. \nRedistributions in binary form must reproduce
    the above copyright notice, this list of conditions and the following disclaimer
    in the documentation and/or other materials provided with the distribution. \nThe
    name of the author may not be used to endorse or promote products derived from
    this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED
    BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
    NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
    BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    OF THE POSSIBILITY OF SUCH DAMAGE."
  licenseId: LicenseRef-2
- extractedText: |-
    /*
     * (c) Copyright 2009 University of Bristol
     * All rights reserved.
     *
     * Redistribution and use in source and binary forms, with or without
     * modification, are permitted provided that the following conditions
     * are met:
     * 1. Redistributions of source code must retain the above copyright
     *    notice, this list of conditions and the following disclaimer.
     * 2. Redistributions in binary form must reproduce the above copyright
     *    notice, this list of conditions and the following disclaimer in the
     *    documentation and/or other materials provided with the distribution.
     * 3. The name of the author may not be used to endorse or promote products
     *    derived from this software without specific prior written permission.
     *
     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    */
  licenseId: LicenseRef-4
- comment: The beerware license has a couple of other standard variants.
  extractedText: |-
    "THE BEER-WARE LICENSE" (Revision 42):
    phk@FreeBSD.ORG wrote this file. As long as you retain this notice you
    can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp
  licenseId: LicenseRef-Beerware-4.2
  name: Beer-Ware License (Version 42)
  seeAlsos:
  - http://people.freebsd.org/~phk/
- comment: This is tye CyperNeko License
  extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright
    2002-2005, Andy Clark.  All rights reserved.\n \nRedistribution and use in source
    and binary forms, with or without\nmodification, are permitted provided that the
    following conditions\nare met:\n\n1. Redistributions of source code must retain
    the above copyright\n   notice, this list of conditions and the following disclaimer.
    \n\n2. Redistributions in binary form must reproduce the above copyright\n   notice,
    this list of conditions and the following disclaimer in\n   the documentation
    and/or other materials provided with the\n   distribution.\n\n3. The end-user
    documentation included with the redistribution,\n   if any, must include the following
    acknowledgment:  \n     \"This product includes software developed by Andy Clark.\"\n
    \  Alternately, this acknowledgment may appear in the software itself,\n   if
    and wherever such third-party acknowledgments normally appear.\n\n4. The names
    \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n   or promote products
    derived from this software without prior \n   written permission. For written
    permission, please contact \n   andyc@cyberneko.net.\n\n5. Products derived from
    this software may not be called \"CyberNeko\",\n   nor may \"CyberNeko\" appear
    in their name, without prior written\n   permission of the author.\n\nTHIS SOFTWARE
    IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT
    NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    PURPOSE ARE\nDISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE
    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL
    DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES;
    LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND
    ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
    NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
    \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
  licenseId: LicenseRef-3
  name: CyberNeko License
  seeAlsos:
  - http://people.apache.org/~andyc/neko/LICENSE
  - http://justasample.url.com
name: SPDX-Tools-v2.0
packages:
- SPDXID: SPDXRef-Package
  annotations:
  - annotationDate: "2011-01-29T18:30:22Z"
    annotationType: OTHER
    annotator: 'Person: Package Commenter'
    comment: Package level annotation
  attributionTexts:
  - The GNU C Library is free software.  See the file COPYING.LIB for copying conditions,
    and LICENSES for notices about a few contributions that require these additional
    notices to be distributed.  License copyright years may be listed using range
    notation, e.g., 1996-2015, indicating that every year in the range, inclusive,
    is a copyrightable year that would otherwise be listed individually.
  checksums:
  - algorithm: MD5
    checksumValue: 624c1abb3664f4b35547e7c73864ad24
  - algorithm: SHA1
    checksumValue: 85ed0817af83a24ad8da68c2b5094de69833983c
  - algorithm: SHA256
    checksumValue: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
  copyrightText: Copyright 2008-2010 John Smith
  description: The GNU C Library defines functions that are specified by the ISO C
    standard, as well as additional features specific to POSIX and other derivatives
    of the Unix operating system, and extensions specific to GNU systems.
  downloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
  externalRefs:
  - comment: ""
    referenceCategory: SECURITY
    referenceLocator: cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*
    referenceType: cpe23Type
  - comment: This is the external ref for Acme
    referenceCategory: OTHER
    referenceLocator: acmecorp/acmenator/4.1.3-alpha
    referenceType: http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge
  filesAnalyzed: true
  homepage: http://ftp.gnu.org/gnu/glibc
  licenseComments: The license for this project changed with the release of version
    x.y.  The version of the project included here post-dates the license change.
  licenseConcluded: (LGPL-2.0-only OR LicenseRef-3)
  licenseDeclared: (LGPL-2.0-only AND LicenseRef-3)
  licenseInfoFromFiles:
  - GPL-2.0-only
  - LicenseRef-2
  - LicenseRef-1
  name: glibc
  originator: 'Organization: ExampleCodeInspect (contact@example.com)'
  packageFileName: glibc-2.11.1.tar.gz
  packageVerificationCode:
    packageVerificationCodeExcludedFiles:
    - ./package.spdx
    packageVerificationCodeValue: d6a770ba38583ed4bb4525bd96e50461655d2758
  sourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.
  summary: GNU C library.
  supplier: 'Person: Jane Doe (jane.doe@example.com)'
  versionInfo: 2.11.1
- SPDXID: SPDXRef-fromDoap-1
  copyrightText: NOASSERTION
  downloadLocation: NOASSERTION
  homepage: http://commons.apache.org/proper/commons-lang/
  licenseConcluded: NOASSERTION
  licenseDeclared: NOASSERTION
  name: Apache Commons Lang
- SPDXID: SPDXRef-fromDoap-0
  copyrightText: NOASSERTION
  downloadLocation: https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz
  externalRefs:
  - comment: ""
    referenceCategory: PACKAGE_MANAGER
    referenceLocator: pkg:maven/org.apache.jena/apache-jena@3.12.0
    referenceType: purl
  homepage: http://www.openjena.org/
  licenseConcluded: NOASSERTION
  licenseDeclared: NOASSERTION
  name: Jena
  versionInfo: 3.12.0
- SPDXID: SPDXRef-Saxon
  checksums:
  - algorithm: SHA1
    checksumValue: 85ed0817af83a24ad8da68c2b5094de69833983c
  copyrightText: Copyright Saxonica Ltd
  description: The Saxon package is a collection of tools for processing XML documents.
  downloadLocation: https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download
  homepage: http://saxon.sourceforge.net/
  licenseComments: Other versions available for a commercial license
  licenseConcluded: MPL-1.0
  licenseDeclared: MPL-1.0
  name: Saxon
  packageFileName: saxonB-8.8.zip
  versionInfo: "8.8"
- SPDXID: SPDXRef-CentOS-7
  builtDate: "2021-09-15T02:38:00Z"
  copyrightText: NOASSERTION
  description: The CentOS container used to run the application.
  downloadLocation: NOASSERTION
  homepage: https://www.centos.org/
  name: centos
  packageFileName: saxonB-8.8.zip
  primaryPackagePurpose: CONTAINER
  releaseDate: "2021-10-15T02:38:00Z"
  validUntilDate: "2022-10-15T02:38:00Z"
  versionInfo: centos7.9.2009
relationships:
- comment: A relationship comment
  relatedSpdxElement: SPDXRef-Package
  relationshipType: CONTAINS
  spdxElementId: SPDXRef-DOCUMENT
- relatedSpdxElement: DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement
  relationshipType: COPY_OF
  spdxElementId: SPDXRef-DOCUMENT
- relatedSpdxElement: SPDXRef-File
  relationshipType: DESCRIBES
  spdxElementId: SPDXRef-DOCUMENT
- relatedSpdxElement: SPDXRef-Package
  relationshipType: DESCRIBES
  spdxElementId: SPDXRef-DOCUMENT
- relatedSpdxElement: SPDXRef-JenaLib
  relationshipType: CONTAINS
  spdxElementId: SPDXRef-Package
- relatedSpdxElement: SPDXRef-Saxon
  relationshipType: DYNAMIC_LINK
  spdxElementId: SPDXRef-Package
- relatedSpdxElement: NOASSERTION
  relationshipType: GENERATED_FROM
  spdxElementId: SPDXRef-CommonsLangSrc
- relatedSpdxElement: SPDXRef-Package
  relationshipType: CONTAINS
  spdxElementId: SPDXRef-JenaLib
- relatedSpdxElement: SPDXRef-fromDoap-0
  relationshipType: GENERATED_FROM
  spdxElementId: SPDXRef-File
snippets:
- SPDXID: SPDXRef-Snippet
  comment: This snippet was identified as significant and highlighted in this Apache-2.0
    file, when a commercial scanner identified it as being derived from file foo.c
    in package xyz which is licensed under GPL-2.0.
  copyrightText: Copyright 2008-2010 John Smith
  licenseComments: The concluded license was taken from package xyz, from which the
    snippet was copied into the current file. The concluded license information was
    found in the COPYING.txt file in package xyz.
  licenseConcluded: GPL-2.0-only
  licenseInfoInSnippets:
  - GPL-2.0-only
  name: from linux kernel
  ranges:
  - endPointer:
      offset: 420
      reference: SPDXRef-DoapSource
    startPointer:
      offset: 310
      reference: SPDXRef-DoapSource
  - endPointer:
      lineNumber: 23
      reference: SPDXRef-DoapSource
    startPointer:
      lineNumber: 5
      reference: SPDXRef-DoapSource
  snippetFromFile: SPDXRef-DoapSource
spdxVersion: SPDX-2.2