Create an example for enriching SPDX V2.3 documents

software/README.md

@@ -37,3 +37,4 @@ Each directory contains build metadata which is used to create the build artifac
 | 11 | 1 Rust file | compiled with Cargo | 1 document | SBOM describing both source and artifact, related with GENERATED_FROM |
 | 12 | 1 Ruby library | built using `bundle` | 1 document | SBOM describing Ruby library packaged in a gem |
 | 13 | Bundled app with a package and container | No compiling - hypothetical example | Documents in progress | SBOM describing a hypothetical "Acme Aplication" |
+| 14 | SPDX file from example 8 | N/A | 1 document | SPDX file is enriched using a tool such as [Parlay](https://github.com/snyk/parlay) - includes relationship to original SPDX document |

software/example14/README.md

@@ -0,0 +1,50 @@
+# Example 1
+
+## Description
+
+An [existing (original) SPDX document](content/examplemaven-0.0.1.spdx.json) is enriched to include additional metadata from an application such as [Parlay](https://github.com/snyk/parlay) producing the [enriched SPDX document](spdx2.3/examplemaven-0.0.1-enriched.spdx.json).  Any process or tool that modifies an existing SPDX document should include the additional metadata referenced in comments below.
+
+## Comments
+
+In addition to any modifications made to the original SPDX document, the following changes are made to the resultant enriched SPDX document:
+- Create a new `documentNamespace` - this is required since the enriched document does not contain exactly the same SPDX metadata
+- Update the `created` timestamp to the time this document was generated
+- Add a tool to the creators for the enrichment tool
+- Create an `AMENDS` relationship from the enriched document to the original document
+- Add an `externalDocumentRef` for the original document - this is necessary to create the relationship and provides a checksum for verifying the integrity of the original document 
+
+
+Below is a diff for the above-mentioned changes:
+
+```
+6c6
+<   "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1",
+---
+>   "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1/enriched",
+11c11,12
+<       "Tool: spdx-maven-plugin"
+---
+>       "Tool: spdx-maven-plugin",
+>         "Tool: Parlay"
+13c14
+<     "created": "2022-10-23T15:44:16Z"
+---
+>     "created": "2024-11-18T10:22:12Z"
+14a16,23
+>   "externalDocumentRefs" : [ {
+>     "externalDocumentId" : "DocumentRef-original",
+>     "checksum" : {
+>       "algorithm" : "SHA1",
+>       "checksumValue" : "3f9deeef2efdbb0eb4b15ec216f5c4e3af2d13e2"
+>     },
+>     "spdxDocument" : "http://spdx.org/documents/examplemaven-0.0.1"
+>   } ],
+153a163,168
+>     {
+>       "spdxElementId": "SPDXRef-DOCUMENT",
+>       "relatedSpdxElement": "DocumentRef-original:SPDXRef-DOCUMENT",
+>       "relationshipType": "AMENDS",
+>       "comment": "The original document and been enriched by the Parlay application"
+>     },
+
+```

software/example14/content/examplemaven-0.0.1.spdx.json

@@ -0,0 +1,204 @@
+{
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "spdxVersion": "SPDX-2.3",
+  "creationInfo": {
+    "created": "2022-10-23T15:44:16Z",
+    "creators": [
+      "Person: Gary O'Neall",
+      "Tool: spdx-maven-plugin"
+    ],
+    "licenseListVersion": "3.18"
+  },
+  "name": "examplemaven",
+  "dataLicense": "CC0-1.0",
+  "documentDescribes": [
+    "SPDXRef-example"
+  ],
+  "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1",
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-junit",
+      "copyrightText": "UNSPECIFIED",
+      "description": "JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "homepage": "http://junit.org",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "CPL-1.0",
+      "name": "JUnit",
+      "originator": "Organization: JUnit",
+      "summary": "JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.",
+      "versionInfo": "3.8.1"
+    },
+    {
+      "SPDXID": "SPDXRef-log4jslf4jbinding",
+      "copyrightText": "UNSPECIFIED",
+      "description": "The Apache Log4j SLF4J API binding to Log4j 2 Core",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "Apache Log4j SLF4J Binding",
+      "summary": "The Apache Log4j SLF4J API binding to Log4j 2 Core"
+    },
+    {
+      "SPDXID": "SPDXRef-log4jslf4jApi",
+      "copyrightText": "UNSPECIFIED",
+      "description": "The slf4j API",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "homepage": "http://www.slf4j.org",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "SLF4J API Module",
+      "summary": "The slf4j API"
+    },
+    {
+      "SPDXID": "SPDXRef-log4jApi",
+      "copyrightText": "UNSPECIFIED",
+      "description": "The Apache Log4j API",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "Apache Log4j API",
+      "summary": "The Apache Log4j API"
+    },
+    {
+      "SPDXID": "SPDXRef-log4jImpl",
+      "copyrightText": "UNSPECIFIED",
+      "description": "The Apache Log4j Implementation",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "Apache Log4j Core",
+      "summary": "The Apache Log4j Implementation"
+    },
+    {
+      "SPDXID": "SPDXRef-example",
+      "checksums": [
+        {
+          "algorithm": "SHA1",
+          "checksumValue": "b8a7e6c75001e6d78625cfc9a3103bf121abf8b4"
+        }
+      ],
+      "copyrightText": "Copyright (c) 2022 Source Auditor Inc.",
+      "description": "This is a simple example Maven project created using the Maven quickstart archetype with one dependency added.",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": true,
+      "homepage": "https://github.com/spdx/spdx-examples",
+      "licenseConcluded": "Apache-2.0",
+      "licenseDeclared": "Apache-2.0",
+      "licenseInfoFromFiles": [
+        "Apache-2.0"
+      ],
+      "name": "examplemaven",
+      "originator": "Organization: Linux Foundation",
+      "packageFileName": "examplemaven-0.0.1.jar",
+      "packageVerificationCode": {
+        "packageVerificationCodeValue": "c12417def36d7804096521de4280721e5863e68b"
+      },
+      "primaryPackagePurpose": "LIBRARY",
+      "hasFiles": [
+        "SPDXRef-appsource",
+        "SPDXRef-apptest"
+      ],
+      "summary": "This is a simple example Maven project created using the Maven quickstart archetype with one dependency added.",
+      "supplier": "Organization: SPDX",
+      "versionInfo": "0.0.1"
+    }
+  ],
+  "files": [
+    {
+      "SPDXID": "SPDXRef-appsource",
+      "checksums": [
+        {
+          "algorithm": "SHA1",
+          "checksumValue": "a6f47dbc7e4615058490055172fe0065c55f8fc5"
+        }
+      ],
+      "copyrightText": "Copyright (c) 2020 Source Auditor Inc.",
+      "fileContributors": [
+        "Gary O'Neall"
+      ],
+      "fileName": "./src/main/java/org/spdx/examplemaven/App.java",
+      "fileTypes": [
+        "SOURCE"
+      ],
+      "licenseComments": "This file contains SPDX-License-Identifiers for Apache-2.0",
+      "licenseConcluded": "Apache-2.0",
+      "licenseInfoInFiles": [
+        "Apache-2.0"
+      ],
+      "noticeText": "SPDX-License-Identifier: Apache-2.0\nCopyright (c) 2022 Source Auditor Inc."
+    },
+    {
+      "SPDXID": "SPDXRef-apptest",
+      "checksums": [
+        {
+          "algorithm": "SHA1",
+          "checksumValue": "4b4df52d36588c8e9482d56eebc42336447f3dad"
+        }
+      ],
+      "copyrightText": "Copyright (c) 2020 Source Auditor Inc.",
+      "fileContributors": [
+        "Gary O'Neall"
+      ],
+      "fileName": "./src/test/java/org/spdx/examplemaven/AppTest.java",
+      "fileTypes": [
+        "SOURCE"
+      ],
+      "licenseComments": "This file contains SPDX-License-Identifiers for Apache-2.0",
+      "licenseConcluded": "Apache-2.0",
+      "licenseInfoInFiles": [
+        "Apache-2.0"
+      ],
+      "noticeText": "SPDX-License-Identifier: Apache-2.0\nCopyright (c) 2022 Source Auditor Inc."
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-junit",
+      "relationshipType": "TEST_DEPENDENCY_OF",
+      "relatedSpdxElement": "SPDXRef-example",
+      "comment": "Relationship created based on Maven POM information"
+    },
+    {
+      "spdxElementId": "SPDXRef-example",
+      "relationshipType": "DYNAMIC_LINK",
+      "relatedSpdxElement": "SPDXRef-log4jslf4jbinding",
+      "comment": "Relationship based on Maven POM file dependency information"
+    },
+    {
+      "spdxElementId": "SPDXRef-example",
+      "relationshipType": "DYNAMIC_LINK",
+      "relatedSpdxElement": "SPDXRef-log4jslf4jApi",
+      "comment": "Relationship based on Maven POM file dependency information"
+    },
+    {
+      "spdxElementId": "SPDXRef-example",
+      "relationshipType": "DYNAMIC_LINK",
+      "relatedSpdxElement": "SPDXRef-log4jApi",
+      "comment": "Relationship based on Maven POM file dependency information"
+    },
+    {
+      "spdxElementId": "SPDXRef-example",
+      "relationshipType": "DYNAMIC_LINK",
+      "relatedSpdxElement": "SPDXRef-log4jImpl",
+      "comment": "Relationship based on Maven POM file dependency information"
+    },
+    {
+      "spdxElementId": "SPDXRef-appsource",
+      "relationshipType": "GENERATES",
+      "relatedSpdxElement": "SPDXRef-example",
+      "comment": ""
+    },
+    {
+      "spdxElementId": "SPDXRef-apptest",
+      "relationshipType": "TEST_CASE_OF",
+      "relatedSpdxElement": "SPDXRef-example",
+      "comment": ""
+    }
+  ]
+}