chore: Add v2.3 data model and JSON support

Signed-off-by: Keith Zantow <kzantow@gmail.com>

9 files changed, 494 insertions, 0 deletions

diff --git a/spdx/v2_3/annotation.go b/spdx/v2_3/annotation.go
new file mode 100644
index 0000000..756aea1
--- /dev/null
+++ b/spdx/v2_3/annotation.go
@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+package v2_3
+
+import "github.com/spdx/tools-golang/spdx/common"
+
+// Annotation is an Annotation section of an SPDX Document for version 2.3 of the spec.
+type Annotation struct {
+	// 12.1: Annotator
+	// Cardinality: conditional (mandatory, one) if there is an Annotation
+	Annotator common.Annotator `json:"annotator"`
+
+	// 12.2: Annotation Date: YYYY-MM-DDThh:mm:ssZ
+	// Cardinality: conditional (mandatory, one) if there is an Annotation
+	AnnotationDate string `json:"annotationDate"`
+
+	// 12.3: Annotation Type: "REVIEW" or "OTHER"
+	// Cardinality: conditional (mandatory, one) if there is an Annotation
+	AnnotationType string `json:"annotationType"`
+
+	// 12.4: SPDX Identifier Reference
+	// Cardinality: conditional (mandatory, one) if there is an Annotation
+	// This field is not used in hierarchical data formats where the referenced element is clear, such as JSON or YAML.
+	AnnotationSPDXIdentifier common.DocElementID `json:"-"`
+
+	// 12.5: Annotation Comment
+	// Cardinality: conditional (mandatory, one) if there is an Annotation
+	AnnotationComment string `json:"comment"`
+}
diff --git a/spdx/v2_3/creation_info.go b/spdx/v2_3/creation_info.go
new file mode 100644
index 0000000..55fed3d
--- /dev/null
+++ b/spdx/v2_3/creation_info.go
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+package v2_3
+
+import "github.com/spdx/tools-golang/spdx/common"
+
+// CreationInfo is a Document Creation Information section of an
+// SPDX Document for version 2.3 of the spec.
+type CreationInfo struct {
+	// 6.7: License List Version
+	// Cardinality: optional, one
+	LicenseListVersion string `json:"licenseListVersion"`
+
+	// 6.8: Creators: may have multiple keys for Person, Organization
+	//      and/or Tool
+	// Cardinality: mandatory, one or many
+	Creators []common.Creator `json:"creators"`
+
+	// 6.9: Created: data format YYYY-MM-DDThh:mm:ssZ
+	// Cardinality: mandatory, one
+	Created string `json:"created"`
+
+	// 6.10: Creator Comment
+	// Cardinality: optional, one
+	CreatorComment string `json:"comment"`
+}
diff --git a/spdx/v2_3/document.go b/spdx/v2_3/document.go
new file mode 100644
index 0000000..f8b5e23
--- /dev/null
+++ b/spdx/v2_3/document.go
@@ -0,0 +1,65 @@
+// Package spdx contains the struct definition for an SPDX Document
+// and its constituent parts.
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+package v2_3
+
+import "github.com/spdx/tools-golang/spdx/common"
+
+// ExternalDocumentRef is a reference to an external SPDX document
+// as defined in section 6.6 for version 2.3 of the spec.
+type ExternalDocumentRef struct {
+	// DocumentRefID is the ID string defined in the start of the
+	// reference. It should _not_ contain the "DocumentRef-" part
+	// of the mandatory ID string.
+	DocumentRefID string `json:"externalDocumentId"`
+
+	// URI is the URI defined for the external document
+	URI string `json:"spdxDocument"`
+
+	// Checksum is the actual hash data
+	Checksum common.Checksum `json:"checksum"`
+}
+
+// Document is an SPDX Document for version 2.3 of the spec.
+// See https://spdx.github.io/spdx-spec/v2.3/document-creation-information
+type Document struct {
+	// 6.1: SPDX Version; should be in the format "SPDX-2.3"
+	// Cardinality: mandatory, one
+	SPDXVersion string `json:"spdxVersion"`
+
+	// 6.2: Data License; should be "CC0-1.0"
+	// Cardinality: mandatory, one
+	DataLicense string `json:"dataLicense"`
+
+	// 6.3: SPDX Identifier; should be "DOCUMENT" to represent
+	//      mandatory identifier of SPDXRef-DOCUMENT
+	// Cardinality: mandatory, one
+	SPDXIdentifier common.ElementID `json:"SPDXID"`
+
+	// 6.4: Document Name
+	// Cardinality: mandatory, one
+	DocumentName string `json:"name"`
+
+	// 6.5: Document Namespace
+	// Cardinality: mandatory, one
+	DocumentNamespace string `json:"documentNamespace"`
+
+	// 6.6: External Document References
+	// Cardinality: optional, one or many
+	ExternalDocumentReferences []ExternalDocumentRef `json:"externalDocumentRefs,omitempty"`
+
+	// 6.11: Document Comment
+	// Cardinality: optional, one
+	DocumentComment string `json:"comment,omitempty"`
+
+	CreationInfo  *CreationInfo   `json:"creationInfo"`
+	Packages      []*Package      `json:"packages,omitempty"`
+	Files         []*File         `json:"files,omitempty"`
+	OtherLicenses []*OtherLicense `json:"hasExtractedLicensingInfos,omitempty"`
+	Relationships []*Relationship `json:"relationships,omitempty"`
+	Annotations   []*Annotation   `json:"annotations,omitempty"`
+	Snippets      []Snippet       `json:"snippets,omitempty"`
+
+	// DEPRECATED in version 2.0 of spec
+	Reviews []*Review `json:"reviews,omitempty"`
+}
diff --git a/spdx/v2_3/file.go b/spdx/v2_3/file.go
new file mode 100644
index 0000000..3d6e71e
--- /dev/null
+++ b/spdx/v2_3/file.go
@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+package v2_3
+
+import "github.com/spdx/tools-golang/spdx/common"
+
+// File is a File section of an SPDX Document for version 2.3 of the spec.
+type File struct {
+	// 8.1: File Name
+	// Cardinality: mandatory, one
+	FileName string `json:"fileName"`
+
+	// 8.2: File SPDX Identifier: "SPDXRef-[idstring]"
+	// Cardinality: mandatory, one
+	FileSPDXIdentifier common.ElementID `json:"SPDXID"`
+
+	// 8.3: File Types
+	// Cardinality: optional, multiple
+	FileTypes []string `json:"fileTypes,omitempty"`
+
+	// 8.4: File Checksum: may have keys for SHA1, SHA256, MD5, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32
+	// Cardinality: mandatory, one SHA1, others may be optionally provided
+	Checksums []common.Checksum `json:"checksums"`
+
+	// 8.5: Concluded License: SPDX License Expression, "NONE" or "NOASSERTION"
+	// Cardinality: optional, one
+	LicenseConcluded string `json:"licenseConcluded,omitempty"`
+
+	// 8.6: License Information in File: SPDX License Expression, "NONE" or "NOASSERTION"
+	// Cardinality: optional, one or many
+	LicenseInfoInFiles []string `json:"licenseInfoInFiles,omitempty"`
+
+	// 8.7: Comments on License
+	// Cardinality: optional, one
+	LicenseComments string `json:"licenseComments,omitempty"`
+
+	// 8.8: Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION"
+	// Cardinality: mandatory, one
+	FileCopyrightText string `json:"copyrightText"`
+
+	// DEPRECATED in version 2.1 of spec
+	// 8.9-8.11: Artifact of Project variables (defined below)
+	// Cardinality: optional, one or many
+	ArtifactOfProjects []ArtifactOfProject `json:"artifactOfs,omitempty"`
+
+	// 8.12: File Comment
+	// Cardinality: optional, one
+	FileComment string `json:"comment,omitempty"`
+
+	// 8.13: File Notice
+	// Cardinality: optional, one
+	FileNotice string `json:"noticeText,omitempty"`
+
+	// 8.14: File Contributor
+	// Cardinality: optional, one or many
+	FileContributors []string `json:"fileContributors,omitempty"`
+
+	// 8.15: File Attribution Text
+	// Cardinality: optional, one or many
+	FileAttributionTexts []string `json:"attributionTexts,omitempty"`
+
+	// DEPRECATED in version 2.0 of spec
+	// 8.16: File Dependencies
+	// Cardinality: optional, one or many
+	FileDependencies []string `json:"fileDependencies,omitempty"`
+
+	// Snippets contained in this File
+	// Note that Snippets could be defined in a different Document! However,
+	// the only ones that _THIS_ document can contain are this ones that are
+	// defined here -- so this should just be an ElementID.
+	Snippets map[common.ElementID]*Snippet `json:"-"`
+
+	Annotations []Annotation `json:"annotations,omitempty"`
+}
+
+// ArtifactOfProject is a DEPRECATED collection of data regarding
+// a Package, as defined in sections 8.9-8.11 in version 2.3 of the spec.
+// NOTE: the JSON schema does not define the structure of this object:
+// https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json#L480
+type ArtifactOfProject struct {
+
+	// DEPRECATED in version 2.1 of spec
+	// 8.9: Artifact of Project Name
+	// Cardinality: conditional, required if present, one per AOP
+	Name string `json:"name"`
+
+	// DEPRECATED in version 2.1 of spec
+	// 8.10: Artifact of Project Homepage: URL or "UNKNOWN"
+	// Cardinality: optional, one per AOP
+	HomePage string `json:"homePage"`
+
+	// DEPRECATED in version 2.1 of spec
+	// 8.11: Artifact of Project Uniform Resource Identifier
+	// Cardinality: optional, one per AOP
+	URI string `json:"URI"`
+}
diff --git a/spdx/v2_3/other_license.go b/spdx/v2_3/other_license.go
new file mode 100644
index 0000000..363bb41
--- /dev/null
+++ b/spdx/v2_3/other_license.go
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+package v2_3
+
+// OtherLicense is an Other License Information section of an
+// SPDX Document for version 2.3 of the spec.
+type OtherLicense struct {
+	// 10.1: License Identifier: "LicenseRef-[idstring]"
+	// Cardinality: conditional (mandatory, one) if license is not
+	//              on SPDX License List
+	LicenseIdentifier string `json:"licenseId"`
+
+	// 10.2: Extracted Text
+	// Cardinality: conditional (mandatory, one) if there is a
+	//              License Identifier assigned
+	ExtractedText string `json:"extractedText"`
+
+	// 10.3: License Name: single line of text or "NOASSERTION"
+	// Cardinality: conditional (mandatory, one) if license is not
+	//              on SPDX License List
+	LicenseName string `json:"name,omitempty"`
+
+	// 10.4: License Cross Reference
+	// Cardinality: conditional (optional, one or many) if license
+	//              is not on SPDX License List
+	LicenseCrossReferences []string `json:"seeAlsos,omitempty"`
+
+	// 10.5: License Comment
+	// Cardinality: optional, one
+	LicenseComment string `json:"comment,omitempty"`
+}
diff --git a/spdx/v2_3/package.go b/spdx/v2_3/package.go
new file mode 100644
index 0000000..a382268
--- /dev/null
+++ b/spdx/v2_3/package.go
@@ -0,0 +1,151 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+package v2_3
+
+import "github.com/spdx/tools-golang/spdx/common"
+
+// Package is a Package section of an SPDX Document for version 2.3 of the spec.
+type Package struct {
+	// NOT PART OF SPEC
+	// flag: does this "package" contain files that were in fact "unpackaged",
+	// e.g. included directly in the Document without being in a Package?
+	IsUnpackaged bool `json:"-"`
+
+	// 7.1: Package Name
+	// Cardinality: mandatory, one
+	PackageName string `json:"name"`
+
+	// 7.2: Package SPDX Identifier: "SPDXRef-[idstring]"
+	// Cardinality: mandatory, one
+	PackageSPDXIdentifier common.ElementID `json:"SPDXID"`
+
+	// 7.3: Package Version
+	// Cardinality: optional, one
+	PackageVersion string `json:"versionInfo,omitempty"`
+
+	// 7.4: Package File Name
+	// Cardinality: optional, one
+	PackageFileName string `json:"packageFileName,omitempty"`
+
+	// 7.5: Package Supplier: may have single result for either Person or Organization,
+	//                        or NOASSERTION
+	// Cardinality: optional, one
+	PackageSupplier *common.Supplier `json:"supplier,omitempty"`
+
+	// 7.6: Package Originator: may have single result for either Person or Organization,
+	//                          or NOASSERTION
+	// Cardinality: optional, one
+	PackageOriginator *common.Originator `json:"originator,omitempty"`
+
+	// 7.7: Package Download Location
+	// Cardinality: mandatory, one
+	PackageDownloadLocation string `json:"downloadLocation"`
+
+	// 7.8: FilesAnalyzed
+	// Cardinality: optional, one; default value is "true" if omitted
+	FilesAnalyzed bool `json:"filesAnalyzed,omitempty"`
+	// NOT PART OF SPEC: did FilesAnalyzed tag appear?
+	IsFilesAnalyzedTagPresent bool `json:"-"`
+
+	// 7.9: Package Verification Code
+	// Cardinality: if FilesAnalyzed == true must be present, if FilesAnalyzed == false must be omitted
+	PackageVerificationCode *common.PackageVerificationCode `json:"packageVerificationCode,omitempty"`
+
+	// 7.10: Package Checksum: may have keys for SHA1, SHA256, MD5, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32
+	// Cardinality: optional, one or many
+	PackageChecksums []common.Checksum `json:"checksums,omitempty"`
+
+	// 7.11: Package Home Page
+	// Cardinality: optional, one
+	PackageHomePage string `json:"homepage,omitempty"`
+
+	// 7.12: Source Information
+	// Cardinality: optional, one
+	PackageSourceInfo string `json:"sourceInfo,omitempty"`
+
+	// 7.13: Concluded License: SPDX License Expression, "NONE" or "NOASSERTION"
+	// Cardinality: optional, one
+	PackageLicenseConcluded string `json:"licenseConcluded,omitempty"`
+
+	// 7.14: All Licenses Info from Files: SPDX License Expression, "NONE" or "NOASSERTION"
+	// Cardinality: optional, one or many if filesAnalyzed is true / omitted;
+	//              zero (must be omitted) if filesAnalyzed is false
+	PackageLicenseInfoFromFiles []string `json:"licenseInfoFromFiles,omitempty"`
+
+	// 7.15: Declared License: SPDX License Expression, "NONE" or "NOASSERTION"
+	// Cardinality: optional, one
+	PackageLicenseDeclared string `json:"licenseDeclared,omitempty"`
+
+	// 7.16: Comments on License
+	// Cardinality: optional, one
+	PackageLicenseComments string `json:"licenseComments,omitempty"`
+
+	// 7.17: Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION"
+	// Cardinality: mandatory, one
+	PackageCopyrightText string `json:"copyrightText"`
+
+	// 7.18: Package Summary Description
+	// Cardinality: optional, one
+	PackageSummary string `json:"summary,omitempty"`
+
+	// 7.19: Package Detailed Description
+	// Cardinality: optional, one
+	PackageDescription string `json:"description,omitempty"`
+
+	// 7.20: Package Comment
+	// Cardinality: optional, one
+	PackageComment string `json:"comment,omitempty"`
+
+	// 7.21: Package External Reference
+	// Cardinality: optional, one or many
+	PackageExternalReferences []*PackageExternalReference `json:"externalRefs,omitempty"`
+
+	// 7.22: Package External Reference Comment
+	// Cardinality: conditional (optional, one) for each External Reference
+	// contained within PackageExternalReference2_1 struct, if present
+
+	// 7.23: Package Attribution Text
+	// Cardinality: optional, one or many
+	PackageAttributionTexts []string `json:"attributionTexts,omitempty"`
+
+	// 7.24: Primary Package Purpose
+	// Cardinality: optional, one or many
+	// Allowed values: APPLICATION, FRAMEWORK, LIBRARY, CONTAINER, OPERATING-SYSTEM, DEVICE, FIRMWARE, SOURCE, ARCHIVE, FILE, INSTALL, OTHER
+	PrimaryPackagePurpose string `json:"primaryPackagePurpose,omitempty"`
+
+	// 7.25: Release Date: YYYY-MM-DDThh:mm:ssZ
+	// Cardinality: optional, one
+	ReleaseDate string `json:"releaseDate,omitempty"`
+
+	// 7.26: Build Date: YYYY-MM-DDThh:mm:ssZ
+	// Cardinality: optional, one
+	BuiltDate string `json:"builtDate,omitempty"`
+
+	// 7.27: Valid Until Date: YYYY-MM-DDThh:mm:ssZ
+	// Cardinality: optional, one
+	ValidUntilDate string `json:"validUntilDate,omitempty"`
+
+	// Files contained in this Package
+	Files []*File `json:"files,omitempty"`
+
+	Annotations []Annotation `json:"annotations,omitempty"`
+}
+
+// PackageExternalReference is an External Reference to additional info
+// about a Package, as defined in section 7.21 in version 2.3 of the spec.
+type PackageExternalReference struct {
+	// category is "SECURITY", "PACKAGE-MANAGER" or "OTHER"
+	Category string `json:"referenceCategory"`
+
+	// type is an [idstring] as defined in Appendix VI;
+	// called RefType here due to "type" being a Golang keyword
+	RefType string `json:"referenceType"`
+
+	// locator is a unique string to access the package-specific
+	// info, metadata or content within the target location
+	Locator string `json:"referenceLocator"`
+
+	// 7.22: Package External Reference Comment
+	// Cardinality: conditional (optional, one) for each External Reference
+	ExternalRefComment string `json:"comment"`
+}
diff --git a/spdx/v2_3/relationship.go b/spdx/v2_3/relationship.go
new file mode 100644
index 0000000..af4c07d
--- /dev/null
+++ b/spdx/v2_3/relationship.go
@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+package v2_3
+
+import "github.com/spdx/tools-golang/spdx/common"
+
+// Relationship is a Relationship section of an SPDX Document for
+// version 2.3 of the spec.
+type Relationship struct {
+
+	// 11.1: Relationship
+	// Cardinality: optional, one or more; one per Relationship
+	//              one mandatory for SPDX Document with multiple packages
+	// RefA and RefB are first and second item
+	// Relationship is type from 11.1.1
+	RefA         common.DocElementID `json:"spdxElementId"`
+	RefB         common.DocElementID `json:"relatedSpdxElement"`
+	Relationship string              `json:"relationshipType"`
+
+	// 11.2: Relationship Comment
+	// Cardinality: optional, one
+	RelationshipComment string `json:"comment,omitempty"`
+}
diff --git a/spdx/v2_3/review.go b/spdx/v2_3/review.go
new file mode 100644
index 0000000..0463807
--- /dev/null
+++ b/spdx/v2_3/review.go
@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+package v2_3
+
+// Review is a Review section of an SPDX Document for version 2.3 of the spec.
+// DEPRECATED in version 2.0 of spec; retained here for compatibility.
+type Review struct {
+
+	// DEPRECATED in version 2.0 of spec
+	// 13.1: Reviewer
+	// Cardinality: optional, one
+	Reviewer string
+	// including AnnotatorType: one of "Person", "Organization" or "Tool"
+	ReviewerType string
+
+	// DEPRECATED in version 2.0 of spec
+	// 13.2: Review Date: YYYY-MM-DDThh:mm:ssZ
+	// Cardinality: conditional (mandatory, one) if there is a Reviewer
+	ReviewDate string
+
+	// DEPRECATED in version 2.0 of spec
+	// 13.3: Review Comment
+	// Cardinality: optional, one
+	ReviewComment string
+}
diff --git a/spdx/v2_3/snippet.go b/spdx/v2_3/snippet.go
new file mode 100644
index 0000000..240f8c8
--- /dev/null
+++ b/spdx/v2_3/snippet.go
@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+
+package v2_3
+
+import "github.com/spdx/tools-golang/spdx/common"
+
+// Snippet is a Snippet section of an SPDX Document for version 2.3 of the spec.
+type Snippet struct {
+
+	// 9.1: Snippet SPDX Identifier: "SPDXRef-[idstring]"
+	// Cardinality: mandatory, one
+	SnippetSPDXIdentifier common.ElementID `json:"SPDXID"`
+
+	// 9.2: Snippet from File SPDX Identifier
+	// Cardinality: mandatory, one
+	SnippetFromFileSPDXIdentifier common.ElementID `json:"snippetFromFile"`
+
+	// Ranges denotes the start/end byte offsets or line numbers that the snippet is relevant to
+	Ranges []common.SnippetRange `json:"ranges"`
+
+	// 9.5: Snippet Concluded License: SPDX License Expression, "NONE" or "NOASSERTION"
+	// Cardinality: optional, one
+	SnippetLicenseConcluded string `json:"licenseConcluded,omitempty"`
+
+	// 9.6: License Information in Snippet: SPDX License Expression, "NONE" or "NOASSERTION"
+	// Cardinality: optional, one or many
+	LicenseInfoInSnippet []string `json:"licenseInfoInSnippets,omitempty"`
+
+	// 9.7: Snippet Comments on License
+	// Cardinality: optional, one
+	SnippetLicenseComments string `json:"licenseComments,omitempty"`
+
+	// 9.8: Snippet Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION"
+	// Cardinality: mandatory, one
+	SnippetCopyrightText string `json:"copyrightText"`
+
+	// 9.9: Snippet Comment
+	// Cardinality: optional, one
+	SnippetComment string `json:"comment,omitempty"`
+
+	// 9.10: Snippet Name
+	// Cardinality: optional, one
+	SnippetName string `json:"name,omitempty"`
+
+	// 9.11: Snippet Attribution Text
+	// Cardinality: optional, one or many
+	SnippetAttributionTexts []string `json:"-"`
+}