| 2.1 |
SPDXVersion: |
spdx:specVersion |
1 |
|
XML Namespace |
1 |
SBOM Metadata |
|
schema that applies in SWID is embedded in namespace (something that SPDX should probably do with SPDX XML) |
| 2.11 |
DocumentComment: |
rdfs:comment |
optional |
|
(as an XML comment) |
optional |
Description |
|
|
| 2.2 |
DataLicense: |
spdx:dataLicense |
1 |
|
|
|
SBOM Metadata |
|
no equivalent concept |
| 2.3 |
SPDXID: |
spdx:SpdxDocument |
1 |
|
|
|
SBOM Metadata |
2.2.6 UniqueIdentifier |
|
| 2.4 |
DocumentName: |
spdx:name |
1 |
|
@tagID |
1 |
SBOM Metadata |
|
BOM's name |
| 2.5 |
DocumentNamespace: |
rdf:about |
1 |
|
@tagID |
1 |
SBOM Metadata |
|
(document namespace is @tagID + @tagversion) |
| 2.6 |
ExternalDocumentRef: |
spdx:externalDocumentId |
0-1 |
|
@href |
1 |
Mapping |
|
modeled after html link... (any valid URI) |
| 2.8 |
Creator: |
spdx:creator |
1 |
|
@role (tagCreator), @name |
1 |
SBOM Provenance |
2.2.1 AuthorName |
|
| 2.8 |
Creator: Tool/Person/ |
|
|
|
@role (tagCreator), @regid |
0-1 |
SBOM Provenance |
|
|
| 2.8 |
Creator: Tool/Person/ |
|
|
|
@generator |
|
SBOM Provenance |
|
The software that created the tag |
| 2.9 |
Created: |
spdx:created |
1 |
|
|
|
SBOM Provenance |
|
no equivalent concept, version? XML signing - trusted time stamp server. |
| 3.1 |
PackageName: |
spdx:name |
1 |
|
@name |
|
Component Identity - MVI |
2.2.4 ComponentName |
|
| 3.1 |
PackageName: |
spdx:name |
1 |
|
/ @name |
|
Component Info |
|
|
| 3.11 |
PackageHomePage: |
doap:homepage |
optional |
|
|
|
Description |
|
|
| 3.12 |
PackageSourceInfo: |
spdx:sourceInfo |
optional |
|
|
|
Component Info |
|
|
| 3.13 |
PackageLicenseConcluded: |
spdx:licenseConcluded |
1 |
|
|
|
IP related |
|
|
| 3.14 |
PackageLicenseInfoFromFiles: |
spdx:licenseInfoFromFiles |
1+ |
|
|
|
IP related |
|
|
| 3.15 |
PackageLicenseDeclared: |
spdx:licenseDeclared |
1 |
|
|
|
IP related |
|
|
| 3.16 |
PackageLicenseComment: |
spdx:licenseComments |
optional |
|
|
|
IP related |
|
|
| 3.17 |
PackageCopyrightText: |
spdx:copyrightText |
1 |
|
|
|
IP related |
|
|
| 3.18 |
PackageSummary: |
|
optional |
|
@summary |
|
Description |
|
A short description of the product. |
| 3.19 |
PackageDescription: |
spdx:description |
optional |
|
@description |
|
Description |
|
Detailed description of the software |
| 3.2 |
SPDXID: |
spdx:SpdxDocument |
1 |
|
@tagID |
|
Component Identity - MVI |
2.2.6 UniqueIdentifier |
|
| 3.2 |
PackageComment: |
rdfs:comment |
optional |
|
(as an XML comment) |
|
Description |
|
|
| 3.21 |
ExternalRef: |
spdx:externalRef |
optional |
|
|
|
Mapping |
|
|
| 3.22 |
ExternalRefComment: |
rdfs:comment |
optional |
|
|
|
Mapping |
|
|
| 3.3 |
PackageVersion: |
spdx:versionInfo |
optional |
|
@version |
optional |
Component Identity? |
2.2.5 VersionString |
|
| 3.4 |
PackageFileName: |
spdx:packageFileName |
optional |
|
/../ @name |
|
Component Info |
|
(note: SWID has path separator) |
| 3.5 |
PackageSupplier: |
spdx:supplier |
optional |
|
@role (softwareCreator/publisher), @name |
optional |
Component Identity - MVI |
2.2.2 PackageSupplier |
|
| 3.6 |
PackageOriginator: |
spdx:originator |
optional |
|
|
|
Component Info |
|
|
| 3.7 |
PackageDownloadLocation: |
spdx:downloadLocation |
1 |
|
|
|
Component Info |
|
software provenance? |
| 3.8 |
FilesAnalyzed: |
spdx:filesAnalyzed |
optional |
|
|
|
Component Info |
|
software provenance? |
| 3.9 |
PackageVerificationCode: ** |
spdx:packageVerificationCodeValue |
1 |
|
|
|
Component Identity? |
|
software provenance? |
| 4.1 |
FileName: |
spdx:fileName |
1 |
|
/../ @name |
1 |
Component Info |
|
payload has directories, subdirectories, files... registry keys. |
| 4.12 |
FileComment: |
rdfs:comment |
optional |
|
XML comment |
|
Description |
|
|
| 4.13 |
FileNotice: |
spdx:noticeText |
optional |
|
|
|
IP related |
|
|
| 4.14 |
FileContributor: |
spdx:fileContributor |
optional |
|
|
|
Description |
|
|
| 4.2 |
SPDXID: |
spdx:SpdxDocument |
1 |
|
|
|
Component Info |
|
|
| 4.3 |
FileType: |
spdx:fileType |
optional |
|
|
|
Description |
|
|
| 4.4 |
FileChecksum: |
spdx:Checksum |
1+ |
|
/../ @[hash-algorithm]:hash |
0-more |
Component Info |
2.2.5 ComponentHash |
sha256:hash where xmlns:sha256="http://www.w3.org/2001/04/xmlenc#sha256" From: https://www.w3.org/TR/xmlsec-algorithms/#sha |
| 4.5 |
LicenseConcluded: |
spdx:licenseConcluded |
1 |
|
|
|
IP related |
|
|
| 4.6 |
LicenseInfoInFile: |
spdx:licenseInfoInFile |
1+ |
|
|
|
IP related |
|
|
| 4.7 |
LicenseComments: |
spdx:licenseComments |
optional |
|
|
|
IP related |
|
|
| 4.8 |
FileCopyrightText: |
spdx:copyrightText |
1 |
|
|
|
IP related |
|
|
| 5.1 |
SnippetSPDXID: |
spdx:SpdxDocument |
1 |
|
|
|
Component Info |
|
Actual code snippet (e.g. stackoverflow) |
| 5.1 |
SnippetName: |
spdx:snippetName |
optional |
|
|
|
Component Info |
|
|
| 5.2 |
SnippetFromFileSPDXID: |
spdx:snippetFromFile |
1 |
|
|
|
Component Info |
|
|
| 5.3 |
SnippetByteRange: |
spdx:byteRange |
1 |
|
|
|
Component Info |
|
|
| 5.4 |
SnippetLineRange |
spdx:byteRange |
1 |
|
|
|
Component Info |
|
|
| 5.5 |
SnippetLicenseConcluded: |
spdx:licenseConcluded |
1 |
|
|
|
IP related |
|
|
| 5.6 |
LicenseInfoInSnippet: |
spdx:licenseInfoInSnippet |
optional |
|
|
|
IP related |
|
|
| 5.7 |
SnippetLicenseComments: |
spdx:licenseComments |
optional |
|
|
|
IP related |
|
|
| 5.8 |
SnippetCopyrightText: |
spdx:copyrightText |
1 |
|
|
|
IP related |
|
|
| 5.9 |
SnippetComment: |
rdfs:comment |
optional |
|
|
|
IP related |
|
|
| 6.1 |
LicenseID: |
spdx:licenseID |
1 |
|
|
|
IP related |
|
|
| 6.2 |
ExtractedText: |
spdx:extractedText |
1 |
|
|
|
IP related |
|
|
| 6.3 |
LicenseName: |
spdx:licenseName |
1 |
|
|
|
IP related |
|
|
| 6.4 |
LicenseCrossReference |
rdfs:seeAlso |
optional |
|
|
|
IP related |
|
|
| 6.5 |
LicenseComment: |
rdfs:comment |
optional |
|
|
|
IP related |
|
|
| 7.1 |
Relationship: |
spdx:Relationship |
1 |
|
@rel, @href |
0+ |
Mapping |
2.2.7 Relationship |
See Relationship Tab for more mappings |
| 7.2 |
RelationshipComment: |
rdfs:comment |
optional |
|
|
|
Mapping |
|
|
| 8.1 |
Annotator: |
spdx:annotator |
1 |
|
|
|
Description |
|
|
| 8.2 |
AnnotationDate |
spdx:annotationDate |
1 |
|
|
|
Description |
|
|
| 8.3 |
AnnotationType |
spdx:annotationType |
1 |
|
|
|
Description |
|
|
| 8.4 |
SPDXREF: |
spdx:SpdxElement |
1 |
|
|
|
Mapping |
|
|
| 8.5 |
AnnotationComment |
rdfs:comment |
optional |
|
|
|
Description |
|
|
| 2.10 |
CreatorComment: |
rdfs:comment |
optional |
|
XML Comment |
|
Description |
|
|
| 3.10 |
PackageChecksum: |
spdx:checksum |
optional |
|
/../ @[hash-algorithm]:hash |
0-more |
Component Identity? |
2.2.5 ComponentHash |
|
|
|
|
|
|
@versionScheme |
optional |
Component Info |
|
|
|
|
|
|
|
/../ @version |
optional |
Component Info |
|
|
|
|
|
|
|
@colloquialVersion |
|
Component Info |
|
marketing version (ie. Windows 10) |
|
|
|
|
|
@edition |
|
Component Info |
|
flavor of the software |
|
|
|
|
|
@persistentId |
|
Component Info |
|
Used to identify related products (e.g., an upgrade path) -- multiple products can have same persistant id. ie. Windows Service Pack |
|
|
|
|
|
@product |
|
Component Info |
|
Base name of the product (e.g., Office, creative suite) - Marketing Oriented. |
|
|
|
|
|
@productFamily |
|
Component Info |
|
example: Server client and host application |
|
|
|
|
|
@revision |
|
Component Info |
|
Marketing revision (e.g., RC1, SP1, Beta 1) |
|
|
|
|
|
/ @location |
|
Component Info |
|
|
|
|
|
|
|
/ @root |
|
Component Info |
|
|
|
|
|
|
|
/ @location |
|
Component Info |
|
|
|
|
|
|
|
/ @root |
|
Component Info |
|
|
|
|
|
|
|
/../ @size |
1 |
Description |
|
used for quick comparison, by difference in size. |
|
|
|
|
|
/../ @n8060:pathSeparator (where n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0") |
|
Description |
|
|
|
|
|
|
|
/../ @n8060:envVarSuffix (where n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0") |
|
Description |
|
|
|
|
|
|
|
/../ @n8060:envVarPrefix (where n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0") |
|
Description |
|
|
|
|
|
|
|
/../ @n8060:mutable (where n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0") |
|
Description |
|
example: data file that may change over time (compared to initial state) |
|
|
|
|
|
/../ @n8060:patchEvent (update, remove, add) (where n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0") |
|
Description |
|
example: useful to indicate you've removed something. |
|
|
|
|
|
/ @xml:lang |
|
Description |
|
Human language - XML |
|
|
|
|
|
/ @xml:lang |
|
Description |
|
Human language - XML |
|
|
|
|
|
/ @size |
|
Description |
|
|
|
|
|
|
|
/ @xml:lang |
|
Description |
|
Human language - XML |
|
|
|
|
|
/ @name |
|
Description |
|
|
|
|
|
|
|
/ @pid |
|
Description |
|
|
|
|
|
|
|
/ @xml:lang |
|
Description |
|
|
|
|
|
|
|
/ @type |
|
Description |
|
|
|
|
|
|
|
@date |
|
Discovery |
|
Forensic Use case - discovery tool looking at Software on system (no SWID&SPDX) |
|
|
|
|
|
@deviceId |
|
Discovery |
|
no equivalent. |
|
|
|
|
|
/ @xml:lang |
|
Discovery |
|
|
|
|
|
|
|
/ @key |
|
Discovery |
|
|
|
|
|
|
|
/ @location |
|
Discovery |
|
|
|
|
|
|
|
/ @name |
|
Discovery |
|
|
|
|
|
|
|
/ @root |
|
Discovery |
|
|
|
|
|
|
|
/ @xml:lang |
|
Discovery |
|
|
|
|
|
|
|
/ @key |
|
Discovery |
|
|
|
|
|
|
|
/ @location |
|
Discovery |
|
|
|
|
|
|
|
/ @name |
|
Discovery |
|
|
|
|
|
|
|
/ @root |
|
Discovery |
|
|
|
|
|
|
|
/ @size |
|
Discovery |
|
|
|
|
|
|
|
/ @version |
|
Discovery |
|
|
|
|
|
|
|
/ @[hash-algorithm]:hash |
|
Discovery |
|
|
|
|
|
|
|
/ @xml:lang |
|
Discovery |
|
|
|
|
|
|
|
/ @name |
|
Discovery |
|
|
|
|
|
|
|
/ @pid |
|
Discovery |
|
|
|
|
|
|
|
/ @xml:lang |
|
Discovery |
|
|
|
|
|
|
|
/ @type |
|
Discovery |
|
|
|
|
|
|
|
/ @key |
|
Entitlement |
|
Permission to use on device? |
|
|
|
|
|
/ @key |
|
Entitlement |
|
Permission to use on device? |
|
|
|
|
|
@activationStatus |
|
Entitlement |
|
Does and entitelment need to be present for software to run (license key) |
|
|
|
|
|
@entitlementDataRequired |
|
Entitlement |
|
Is proof of entitlement needed for license reconciliation |
|
|
|
|
|
@entitlementKey |
|
Entitlement |
|
Key used to validate an entitlement (e.g., serial number, product key) |
|
|
|
|
|
@rel |
1 |
Mapping |
|
IANA registry: https://www.iana.org/assignments/link-relations/link-relations.xhtml |
|
|
|
|
|
@type |
0-1 |
Mapping |
|
IANA registry: https://www.iana.org/assignments/media-types/media-types.xhtml |
|
|
|
|
|
@unspscCode |
|
Mapping |
|
8 digit code that provides UNSPSC classification (www.unspsc.org) |
|
|
|
|
|
@unspscVersion |
|
Mapping |
|
The version of UNSPC |
|
|
|
|
|
@channelType |
|
Procurement |
|
Distribution channel (e.g., retail, OEM, academic) |
|
|
|
|
|
@tagversion |
1 |
SBOM Metadata |
|
different concept, revision of product, multiple tagged versions |