Skip to content

bact/spdx3reader

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
scripts
scripts
 
 
src/spdx3reader
src/spdx3reader
 
 
tests
tests
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

SPDX-FileCopyrightText SPDX-FileType SPDX-License-Identifier
2025-present Arthit Suriyawongkul <[email protected]>
DOCUMENTATION
Apache-2.0

SPDX 3 Reader

SBOM compliance experimentation for GSoC 2025.

Read SPDX 3 JSON file, get SPDX 3 document as Python objects, and look for NTIA minimum elements.

To install the library:

pip install -e .

To print all relationships in an SPDX 3 JSON file:

python scripts/spdx3read.py --rel tests/data/dataset-example01.json

Output will look like this:

Relationships:

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
┃ dataset_DatasetPackage
┃  - name: Our World in Data CO2 and Greenhouse Gas Emissions dataset
┃  - spdxId: https://spdx.org/spdxdocs/DatasetPackage1-035470d9-3ede-4952-91c8-c2abb943c90b
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
    │
  hasDeclaredLicense
    ↓
  ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
  ┃ simplelicensing_LicenseExpression
  ┃  - name: None
  ┃  - spdxId: https://spdx.org/licenses/CC-BY-4.0
  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
┃ dataset_DatasetPackage
┃  - name: Our World in Data CO2 and Greenhouse Gas Emissions dataset
┃  - spdxId: https://spdx.org/spdxdocs/DatasetPackage1-035470d9-3ede-4952-91c8-c2abb943c90b
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
    │
  hasConcludedLicense
    ↓
  ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
  ┃ simplelicensing_LicenseExpression
  ┃  - name: None
  ┃  - spdxId: https://spdx.org/licenses/CC-BY-4.0
  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
┃ software_File
┃  - name: codebook.csv
┃  - spdxId: https://spdx.org/spdxdocs/File2-caf55baf-cd02-406a-b7ec-838842ca869f
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
    │
  describes
    ↓
  ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
  ┃ software_File
  ┃  - name: data.csv
  ┃  - spdxId: https://spdx.org/spdxdocs/File1-d029fccb-7ee9-42be-a445-5e2066db0de8
  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
┃ dataset_DatasetPackage
┃  - name: Our World in Data CO2 and Greenhouse Gas Emissions dataset
┃  - spdxId: https://spdx.org/spdxdocs/DatasetPackage1-035470d9-3ede-4952-91c8-c2abb943c90b
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
    │
  contains
    ↓
  ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
  ┃ software_File
  ┃  - name: data.csv
  ┃  - spdxId: https://spdx.org/spdxdocs/File1-d029fccb-7ee9-42be-a445-5e2066db0de8
  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
  ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅
  ┃ software_File
  ┃  - name: codebook.csv
  ┃  - spdxId: https://spdx.org/spdxdocs/File2-caf55baf-cd02-406a-b7ec-838842ca869f
  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┅

4 relationships found.
Not compliant with FSCT Baseline Attribute requirements.

To print the baseline attributes:

python scripts/spdx3read.py --print tests/data/dataset-example01.json

Output will look like this:

FSCTBaselineAttribute:
- SBOM Author Name: ['Arthit Suriyawongkul']
- SBOM Timestamp: 2024-05-31 00:00:00+00:00
- SBOM Type: ['analyzed']
- SBOM Primary Component: True
- Primary Component Name: Our World in Data CO2 and Greenhouse Gas Emissions dataset
- Primary Component Version String: 2024-04-15
- Primary Component Supplier Name: Our World in Data
- Primary Component Cryptographic Hash: [('sha1', '32657f0d033fc07a7420be36a6af9083c6a63489'), ('sha256', '434d75c84cf86456c16193dbc53beef31eb63f3387425882ddb2ef6acb9d472c')]
- Primary Component Unique Identifiers: [('spdxId', 'https://spdx.org/spdxdocs/DatasetPackage1-035470d9-3ede-4952-91c8-c2abb943c90b')]
- Primary Component Relationships: None
- Primary Component License: ['CC-BY-4.0']
- Primary Component Copyright Holder: Copyright Our World in Data
- All components have Name: True
- All components have Version String: True
- All components have Supplier Name: False
- All components have Cryptographic Hash: False
- All components have Unique Identifiers: True
- All components have Relationships: False
- All components have License: False
- All components have Copyright Holder: False
Not compliant with FSCT Baseline Attribute requirements.

The current code can check all the existence of all minimum elements/baseline attributes but not yet the relationships (like licenses).

To be integrated into ntia-conformance-checker.

Note: see the SPDX 3.0 - NTIA Minimum Elements mapping from this design document.

Some of the code was originally from this spdx-python-model tutorial.

About

Print SPDX 3 information

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages