|
| 1 | +{ |
| 2 | + "title": "The AOSD2 JSON import schema - version 2.1.0", |
| 3 | + "description": "Defines the JSON format for automated and manual import for software components and their dependencies into AOSD. - All fields in this schema are mandatory but not all values. - Fields with optional values are marked with default value in the description.", |
| 4 | + "type": "object", |
| 5 | + "required": ["schemaVersion", "externalId", "scanned", "directDependencies", "components"], |
| 6 | + "properties": { |
| 7 | + "schemaVersion": { |
| 8 | + "type": "string", |
| 9 | + "minLength": 5, |
| 10 | + "pattern": "[0-99].[0-99].[0-99]", |
| 11 | + "description": "Field and value are mandatory - Version of the schema according to SemVer." |
| 12 | + }, |
| 13 | + "externalId": { |
| 14 | + "type": "string", |
| 15 | + "description": "Field is mandatory but value is optional default is empty string - This is a label that can be used in AOSD for search and identification of custom information as optional field. This can be also used for linking your system with AOSD.", |
| 16 | + "default": "" |
| 17 | + }, |
| 18 | + "scanned": { |
| 19 | + "type": "boolean", |
| 20 | + "description": "Field and value are mandatory - Flag to mark if the software component information is the output from a scan tool like BlackDuck Deep License Scan, ScanCode, Fossology e.g. or if it was prepared manually." |
| 21 | + }, |
| 22 | + "directDependencies": { |
| 23 | + "type": "array", |
| 24 | + "uniqueItems": true, |
| 25 | + "description": "Field and value are mandatory - Array with ID's of top level dependencies directly related to the product. However, transitive dependencies, i.e. components that are only included via direct dependencies, do not have to be listed here but as transitiveDependencies. - A product must at least contain one direct dependency.", |
| 26 | + "items": { |
| 27 | + "type": "integer" |
| 28 | + } |
| 29 | + }, |
| 30 | + "components": { |
| 31 | + "type": "array", |
| 32 | + "minItems": 1, |
| 33 | + "uniqueItems": true, |
| 34 | + "description": "Mandatory - Array with all software components used in this product. - A product must at least contain one component.", |
| 35 | + "items": { |
| 36 | + "type": "object", |
| 37 | + "description": "Mandatory - Software component with all needed information.", |
| 38 | + "required": ["id", "componentName", "componentVersion", "scmUrl", "modified", "linking", "transitiveDependencies", "subcomponents"], |
| 39 | + "properties": { |
| 40 | + "id": { |
| 41 | + "type": "integer", |
| 42 | + "minimum": 0, |
| 43 | + "description": "Field and value are mandatory - Id of the component in this file as mandatory field. The ID must be unique!" |
| 44 | + }, |
| 45 | + "componentName": { |
| 46 | + "type": "string", |
| 47 | + "minLength": 1, |
| 48 | + "pattern": "[0-9a-zA-Z]+", |
| 49 | + "description": "Field and value are mandatory - Name of the software component as mandatory field." |
| 50 | + }, |
| 51 | + "componentVersion": { |
| 52 | + "type": "string", |
| 53 | + "minLength": 1, |
| 54 | + "maxLength": 50, |
| 55 | + "pattern": "[0-9a-zA-Z]+", |
| 56 | + "description": "Field and value are mandatory - Exact version of the software component as mandatory field." |
| 57 | + }, |
| 58 | + "scmUrl": { |
| 59 | + "type": "string", |
| 60 | + "minLength": 5, |
| 61 | + "description": "Field and value are mandatory - Url for the source code repository / alternatively the homepage URL for the component." |
| 62 | + }, |
| 63 | + "modified": { |
| 64 | + "type": ["boolean", "null"], |
| 65 | + "description": "Field is mandatory and value is optional, default is null, except for licenses with conditions for modification e.g. copyleft licenses - Information about modification of source code of the component.", |
| 66 | + "default": null |
| 67 | + }, |
| 68 | + "linking": { |
| 69 | + "type": ["string", "null"], |
| 70 | + "description": "Field is mandatory and value is optional, default is null, except for copyleft licenses - Information about the linking type of this component with its higher level code.", |
| 71 | + "enum": [ |
| 72 | + "dynamic_linking", |
| 73 | + "static_linking", |
| 74 | + "sys_call", |
| 75 | + "process_call", |
| 76 | + null |
| 77 | + ], |
| 78 | + "default": null |
| 79 | + }, |
| 80 | + "transitiveDependencies": { |
| 81 | + "type": "array", |
| 82 | + "description": "Field is mandatory and value is optional, default is an empty array, except if the component has further dependencies. Such further dependencies are also known as transitive dependencies. These transitive dependencies need to be listed as specific components with ID's in the component list. The ID's of this components shall be referenced here.", |
| 83 | + "items": { |
| 84 | + "type": "integer" |
| 85 | + }, |
| 86 | + "default": [] |
| 87 | + }, |
| 88 | + "subcomponents": { |
| 89 | + "type": "array", |
| 90 | + "minItems": 1, |
| 91 | + "description": "Mandatory - Array with all subcomponents of the specific software component. A subcomponent is a finding in a software component with license and / or copyright information (sometimes also referred to as part). Usually there is a main license of the component and further subcomponent licenses in individual directories or files of the component. - Important hint: The first subcomponent in every component block must be named main!", |
| 92 | + "items": { |
| 93 | + "type": "object", |
| 94 | + "description": "Mandatory - for every license identified within all files of the softwarecomponent shall a subcomponent be provided. - The first subcomponent in a component block should contain the main license of the component and must be named main. - All following subcomponents inside a component can be freely assigned.", |
| 95 | + "required": ["subcomponentName", "spdxId", "copyrights", "authors", "licenseText", "licenseTextUrl", "selectedLicense", "additionalLicenseInfos"], |
| 96 | + "properties": { |
| 97 | + "subcomponentName": { |
| 98 | + "type": "string", |
| 99 | + "minLength": 1, |
| 100 | + "description": "Field and value are mandatory - label of the subcomponent as mandatory field. You could use 'GPL-PARTS' / 'BSD-PARTS' or 'A' / 'B' for example- Minimum length 1 character. - Hint: The first subcomponent in a component block must be named main!" |
| 101 | + }, |
| 102 | + "spdxId": { |
| 103 | + "type": "string", |
| 104 | + "minLength": 1, |
| 105 | + "description": "Field and value are mandatory - can be spdx ID or scancode identifier. Please see https://spdx.org/licenses/ and https://scancode-licensedb.aboutcode.org/index.html - if license exceptions are in use, please follow spdx instructions and connect license identifier and exception identifier using the operator 'with'. In case of alternative licensing connect the referring license identifier with the operator 'or' in between and provide the selectedlicense information." |
| 106 | + }, |
| 107 | + "copyrights": { |
| 108 | + "type": "array", |
| 109 | + "description": "Field is mandatory and value is optional, default is an empty array - except the subcomponent has copyrights - may only be an empty array if no Copyrights were found. - Array with all copyrights that are linked to this license subcomponent.", |
| 110 | + "items": { |
| 111 | + "type": "string", |
| 112 | + "description": "Every item here is a copyright line / note." |
| 113 | + }, |
| 114 | + "default": [] |
| 115 | + }, |
| 116 | + "authors": { |
| 117 | + "type": "array", |
| 118 | + "description": "Field is mandatory and value is optional, default is empty array - except the subcomponent has no copyrights but authors - Array with all authors that are related to this subcomponent's license.", |
| 119 | + "items": { |
| 120 | + "type": "string", |
| 121 | + "description": "Authors are normally listed by their names." |
| 122 | + }, |
| 123 | + "default": [] |
| 124 | + }, |
| 125 | + "licenseText": { |
| 126 | + "type": "string", |
| 127 | + "minLength": 20, |
| 128 | + "description": "Field and value are mandatory - complete license text or permission note that was found for this specific subcomponent in the source code. Make sure to include the individualized license text if the specific license provides such variable parts e.g. BSD-3-Clause in clause 3 and disclaimer." |
| 129 | + }, |
| 130 | + "licenseTextUrl": { |
| 131 | + "type": "string", |
| 132 | + "description": "Field is mandatory and value is optional, default is empty string - value is mandatory if the license information are not the result of a file level scan - in this case the link to the specific license text for this subcomponent from the source code is necessary.", |
| 133 | + "default": "" |
| 134 | + }, |
| 135 | + "selectedLicense": { |
| 136 | + "type": "string", |
| 137 | + "description": "Field is mandatory and value is optional, default is empty string - in case of alternative licensing for the subcomponent you should include the license identifier of the license you elect. Otherwise you have to elect the license in the tool later on. - If used please choose one of the license identifiers you provided in spdxId of this subcomponent.", |
| 138 | + "default": "" |
| 139 | + }, |
| 140 | + "additionalLicenseInfos": { |
| 141 | + "type": "string", |
| 142 | + "description": "Field is mandatory and value is optional, default is empty string - the field is not for any specific information but can be used for notes regarding the licenses. (e.g. text is a permission note)", |
| 143 | + "default": "" |
| 144 | + } |
| 145 | + } |
| 146 | + } |
| 147 | + } |
| 148 | + } |
| 149 | + } |
| 150 | + } |
| 151 | + } |
| 152 | +} |
0 commit comments