Merge branch 'master' into converting_spdx_links

Signed-off-by: Gary O'Neall <[email protected]>

.github/workflows/pull_request.yml

@@ -1,18 +1,77 @@
 name: SPDX validation
-on: pull_request
+on:
+  - pull_request
+  - push
 
 jobs:
   SPDX_Validation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup
+      - name: Checkout spdx-examples
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  #v4.1.7
+
+      - name: Look for files with the wrong location
+        run: |
+          find . \( -name '*.spdx' -o -name '*.json' \) \
+            -not -path './presentations/*' \
+            -not -path './tools-java/*' \
+            -not -path '*/spdx2.2/*' \
+            -not -path '*/spdx2.3/*' \
+            -not -path '*/spdx3.0/*' > flist.txt
+
+          if [ "$(cat flist.txt | wc -l)" != "0" ]; then
+            echo "SPDX JSON files are only expected in these locations:"
+            echo "./presentations/"
+            echo "./tools-java/"
+            echo "*/spdx2.2/"
+            echo "*/spdx2.3/"
+            echo "*/spdx3.0/"
+            echo ""
+            echo "The following files are in the wrong location and will not be checked:"
+            cat flist.txt
+            exit 1
+          fi
+
+      - name: Look for files with the wrong extension
+        run: |
+          find . -name '*.jsonld' > flist.txt
+
+          if [ "$(cat flist.txt | wc -l)" != "0" ]; then
+            echo "SPDX JSON can only has these extensions:"
+            echo "*.spdx"
+            echo "*.json"
+            echo ""
+            echo "The following files have the wrong extension and will not be checked:"
+            cat flist.txt
+            exit 1
+          fi
+
+      - name: Update apt
+        run: |
+          sudo apt update -y
+
+      - name: Setup Java tools
         run: |
           sudo apt install -y default-jdk maven
           git clone https://github.com/spdx/tools-java.git && cd tools-java
           export JAVA_HOME=$(readlink -f /usr/bin/javac | sed "s:/bin/javac::")
           mvn clean install && cd ..
-            
-      - name: Validate SPDX Documents
+
+      - name: Setup Python tools
+        run: |
+          python3 -m pip install -U pip
+          python3 -m pip install spdx3-validate
+
+      - name: Validate SPDX 2.2 & SPDX 2.3 Documents
         run: |
-          find . -name *.spdx -o -name *.json -exec echo {} \; -exec java -jar tools-java/target/tools-java-*-jar-with-dependencies.jar Verify {} \;
+          find . \( -path '*/spdx2.2/*' -o -path '*/spdx2.3/*' \) \( -name *.spdx -o -name *.json \) \
+            -exec echo {} \; \
+            -exec java -jar tools-java/target/tools-java-*-jar-with-dependencies.jar Verify {} \;
+
+      - name: Validate SPDX 3.0 Documents
+        run: |
+          for f in $(find . -type f -path '*/spdx3.0/*.json'); do
+              echo "Checking $f..."
+              spdx3-validate -j $f
+          done
+

.gitignore

@@ -21,3 +21,17 @@ tags
 # Persistent undo
 [._]*.un~
 
+# macOS
+.DS_Store
+.AppleDouble
+.LSOverride
+._*
+
+# Windows
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+*.stackdump
+[Dd]esktop.ini
+$RECYCLE.BIN/

README.md

@@ -1,22 +1,46 @@
 # SPDX Usage Examples
 
-This repository includes demonstrations of [SPDX](https://spdx.dev) for various scenarios and use cases.
+This repository includes demonstrations of [SPDX](https://spdx.dev) for various
+scenarios and use cases.
 
-The repository is organized by profiles which represents a set of scenarios and use cases for a particular domain (e.g. security, license compliance).
-Each directory contains a README.md file describing the profile and the examples contained within that directory.
+The repository is organized by profiles which represents a set of scenarios and
+use cases for a particular domain (e.g. security, license compliance).
+Each directory contains a README.md file describing the profile and the
+examples contained within that directory.
 
-The presentations directory contains examples included in various SPDX presentations.
+The [`presentations`](./presentations/) directory contains examples included in
+various SPDX presentations.
 
-Please note that this repository does not contain all of the supported fields nor all of the supported serialization formats in the latest version of the spec.  Please see the [SPDX Specification Examples](https://github.com/spdx/spdx-spec/tree/development/v2.3.1/examples) for the latest and examples that contain all of the supported fields and formats.
+Please note that this repository does not contain all of the supported fields
+nor all of the supported serialization formats in the latest version of the
+specification.
+
+Additional version-specific examples can be found in the `examples` directory
+of each specification version:
+
+- [v3.0.1](https://github.com/spdx/spdx-spec/tree/development/v3.0.1/examples)
+- [v2.3.1](https://github.com/spdx/spdx-spec/tree/development/v2.3.1/examples)
+
+More guidance on using SPDX, including how to use SPDX license list short
+identifiers in source files and leverage SPDX for compliance with standards and
+regulations, is available in the [`spdx/using`](https://github.com/spdx/using/)
+repository.
 
 ## Licenses
 
 Copyright Contributors to the spdx-examples project.
 
-Unless otherwise specified, source code in this repository is licensed under the GNU General Public License, Version 3 or later (GPL-3.0-or-later). A copy is included in the COPYING file.
+Unless otherwise specified, source code in this repository is licensed under
+the GNU General Public License, Version 3 or later (GPL-3.0-or-later).
+A copy is included in the COPYING file.
 
-Other licenses may be specified as well for certain files for purposes of illustration or where third-party components are used.
+Other licenses may be specified as well for certain files for purposes of
+illustration or where third-party components are used.
 
-Documentation in this repository is licensed under the Creative Commons Attribution 4.0 International license (CC-BY-4.0), available at https://creativecommons.org/licenses/by/4.0/.
+Documentation in this repository is licensed under the Creative Commons
+Attribution 4.0 International license (CC-BY-4.0), available at
+<https://creativecommons.org/licenses/by/4.0/>.
 
-SPDX documents in this repository are provided under CC0 1.0 Universal (CC0-1.0), available at https://creativecommons.org/publicdomain/zero/1.0/.
+SPDX documents in this repository are provided under CC0 1.0 Universal
+(CC0-1.0), available at
+<https://creativecommons.org/publicdomain/zero/1.0/>.

ai/README.md

@@ -0,0 +1,4 @@
+# SPDX AI Profile Usage Examples
+
+This repository includes demonstrations of [SPDX documents](https://spdx.dev)
+for various examples of AI applications and models.

ai/example01/README.md

@@ -0,0 +1,11 @@
+# Example 01
+
+## Description
+
+This example illustrates a software bill of materials (BOM) for an AI
+application that employs machine learning to perform a handwritten text
+recognition task.
+
+The BOM demonstrates the structure between `AIPackage`, `DatasetPackage`, and
+(software) `Package` through relationship types such as `dependsOn`,
+`testedOn`, and `trainedOn`.