{"id":18935893,"url":"https://github.com/spdx/tools-python","last_synced_at":"2026-03-13T11:01:52.349Z","repository":{"id":29229273,"uuid":"32761058","full_name":"spdx/tools-python","owner":"spdx","description":"A Python library to parse, validate and create SPDX documents.","archived":false,"fork":false,"pushed_at":"2026-01-16T08:17:38.000Z","size":3585,"stargazers_count":236,"open_issues_count":88,"forks_count":151,"subscribers_count":21,"default_branch":"main","last_synced_at":"2026-02-16T00:58:37.680Z","etag":null,"topics":["licensing","parsing","python","rdf","spdx"],"latest_commit_sha":null,"homepage":"http://spdx.org","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spdx.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2015-03-23T21:54:39.000Z","updated_at":"2026-02-13T13:25:32.000Z","dependencies_parsed_at":"2024-02-15T18:32:05.087Z","dependency_job_id":"4c1e6b40-0a0c-4d98-b8a8-3c4274993774","html_url":"https://github.com/spdx/tools-python","commit_stats":{"total_commits":602,"total_committers":50,"mean_commits":12.04,"dds":0.7059800664451827,"last_synced_commit":"613982b7a66c0a3dd6fe58366359e17d2d99884e"},"previous_names":[],"tags_count":29,"template":false,"template_full_name":null,"purl":"pkg:github/spdx/tools-python","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Ftools-python","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Ftools-python/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Ftools-python/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Ftools-python/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spdx","download_url":"https://codeload.github.com/spdx/tools-python/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Ftools-python/sbom","scorecard":{"id":840783,"data":{"date":"2025-08-11","repo":{"name":"github.com/spdx/tools-python","commit":"b7f9a3defe8b0af1414cd75f1447ec242428f1d0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":7,"reason":"4 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/prepare_release.yml:15","Warn: no topLevel permission defined: .github/workflows/check_codestyle.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/docs.yml:12","Warn: no topLevel permission defined: .github/workflows/install_and_test.yml:1","Warn: no topLevel permission defined: .github/workflows/integration_test.yml:1","Warn: no topLevel permission defined: .github/workflows/prepare_release.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.8.3 not signed: https://api.github.com/repos/spdx/tools-python/releases/177237009","Warn: release artifact v0.8.2 not signed: https://api.github.com/repos/spdx/tools-python/releases/124809177","Warn: release artifact v0.8.1 not signed: https://api.github.com/repos/spdx/tools-python/releases/118533479","Warn: release artifact v0.8.0 not signed: https://api.github.com/repos/spdx/tools-python/releases/113444163","Warn: release artifact v0.8.0rc3 not signed: https://api.github.com/repos/spdx/tools-python/releases/112925040","Warn: release artifact v0.8.3 does not have provenance: https://api.github.com/repos/spdx/tools-python/releases/177237009","Warn: release artifact v0.8.2 does not have provenance: https://api.github.com/repos/spdx/tools-python/releases/124809177","Warn: release artifact v0.8.1 does not have provenance: https://api.github.com/repos/spdx/tools-python/releases/118533479","Warn: release artifact v0.8.0 does not have provenance: https://api.github.com/repos/spdx/tools-python/releases/113444163","Warn: release artifact v0.8.0rc3 does not have provenance: https://api.github.com/repos/spdx/tools-python/releases/112925040"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check_codestyle.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/check_codestyle.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check_codestyle.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/check_codestyle.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/install_and_test.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/install_and_test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/install_and_test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/install_and_test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/integration_test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_test.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/integration_test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration_test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/integration_test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/prepare_release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/prepare_release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/prepare_release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/prepare_release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/prepare_release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/prepare_release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/prepare_release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/spdx/tools-python/prepare_release.yml/main?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/check_codestyle.yml:33","Warn: pipCommand not pinned by hash: .github/workflows/docs.yml:26","Warn: pipCommand not pinned by hash: .github/workflows/docs.yml:27","Warn: pipCommand not pinned by hash: .github/workflows/install_and_test.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/install_and_test.yml:31","Warn: pipCommand not pinned by hash: .github/workflows/install_and_test.yml:34","Warn: pipCommand not pinned by hash: .github/workflows/install_and_test.yml:35","Warn: pipCommand not pinned by hash: .github/workflows/install_and_test.yml:36","Warn: pipCommand not pinned by hash: .github/workflows/install_and_test.yml:37","Warn: pipCommand not pinned by hash: .github/workflows/integration_test.yml:22","Warn: pipCommand not pinned by hash: .github/workflows/integration_test.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/prepare_release.yml:25","Warn: pipCommand not pinned by hash: .github/workflows/prepare_release.yml:26","Warn: pipCommand not pinned by hash: .github/workflows/prepare_release.yml:27","Info:   0 out of  12 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned","Info:   2 out of  16 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T20:25:36.181Z","repository_id":29229273,"created_at":"2025-08-23T20:25:36.181Z","updated_at":"2025-08-23T20:25:36.181Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30466310,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-13T11:00:43.441Z","status":"ssl_error","status_checked_at":"2026-03-13T11:00:23.173Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["licensing","parsing","python","rdf","spdx"],"created_at":"2024-11-08T12:02:22.642Z","updated_at":"2026-03-13T11:01:52.301Z","avatar_url":"https://github.com/spdx.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Python library to parse, validate and create SPDX documents\n\nCI status (Linux, macOS and Windows): [![Install and Test][1]][2]\n\n[1]: https://github.com/spdx/tools-python/actions/workflows/install_and_test.yml/badge.svg\n[2]: https://github.com/spdx/tools-python/actions/workflows/install_and_test.yml\n\n## Breaking changes v0.7 -\u003e v0.8\n\nPlease be aware that the upcoming 0.8 release has undergone a significant refactoring in preparation for the upcoming\nSPDX v3.0 release, leading to breaking changes in the API.\nPlease refer to the [migration guide](https://github.com/spdx/tools-python/wiki/How-to-migrate-from-0.7-to-0.8)\nto update your existing code.\n\nThe main features of v0.8 are:\n\n- full validation of SPDX documents against the v2.2 and v2.3 specification\n- support for SPDX's RDF format with all v2.3 features\n- experimental support for the upcoming SPDX v3 specification. Note, however, that support is neither complete nor\n  stable at this point, as the spec is still evolving. SPDX3-related code is contained in a separate subpackage \"spdx3\"\n  and its use is optional. We do not recommend using it in production code yet.\n\nNote that v0.8 only supports **writing**, not **reading** SPDX 3.0 documents.\nSee [#760](https://github.com/spdx/tools-python/issues/760) for details.\n\n## Information\n\nThis library implements SPDX parsers, convertors, validators and handlers in Python.\n\n- Home: \u003chttps://github.com/spdx/tools-python\u003e\n- Issues: \u003chttps://github.com/spdx/tools-python/issues\u003e\n- PyPI: \u003chttps://pypi.python.org/pypi/spdx-tools\u003e\n- Browse the API: \u003chttps://spdx.github.io/tools-python\u003e\n\nImportant updates regarding this library are shared via\nthe SPDX tech mailing list: \u003chttps://lists.spdx.org/g/Spdx-tech\u003e.\n\n## License\n\n[Apache-2.0](LICENSE)\n\n## Features\n\n- API to create and manipulate SPDX v2.2 and v2.3 documents\n- Parse, convert, create and validate SPDX files\n- Supported formats: Tag/Value, RDF, JSON, YAML, XML\n- Visualize the structure of a SPDX document by creating an `AGraph`.\n  Note: This is an optional feature and requires\n  additional installation of optional dependencies\n\n## Experimental support for SPDX 3.0\n\n- Create v3.0 elements and payloads\n- Convert v2.2/v2.3 documents to v3.0\n- Serialize to JSON-LD\n\nSee [Quickstart to SPDX 3.0](#quickstart-to-spdx-30) below.\nThe implementation is based on the descriptive Markdown files in the repository\n\u003chttps://github.com/spdx/spdx-3-model\u003e\n(commit: a5372a3c145dbdfc1381fc1f791c68889aafc7ff).\nThe latest SPDX 3.0 model is available at\n\u003chttps://spdx.github.io/spdx-spec/v3.0/serializations/\u003e.\n\n## Installation\n\nAs always you should work in a virtualenv (venv). You can install a local clone\nof this repo with `yourenv/bin/pip install .` or install it from PyPI\n(check for the [newest release](https://pypi.org/project/spdx-tools/#history) and install it like\n`yourenv/bin/pip install spdx-tools==0.8.3`). Note that on Windows it would be `Scripts`\ninstead of `bin`.\n\n## How to use\n\n### Command-line usage\n\n1. **PARSING/VALIDATING** (for parsing any format):\n\n    - Use `pyspdxtools -i \u003cfilename\u003e` where `\u003cfilename\u003e` is the location of the file. The input format is inferred automatically from the file ending.\n\n    - If you are using a source distribution, try running:\n      `pyspdxtools -i tests/spdx/data/SPDXJSONExample-v2.3.spdx.json`\n\n2. **CONVERTING** (for converting one format to another):\n\n    - Use `pyspdxtools -i \u003cinput_file\u003e -o \u003coutput_file\u003e` where `\u003cinput_file\u003e` is the location of the file to be converted\n      and `\u003coutput_file\u003e` is the location of the output file. The input and output formats are inferred automatically from the file endings.\n\n    - If you are using a source distribution, try running:\n      `pyspdxtools -i tests/spdx/data/SPDXJSONExample-v2.3.spdx.json -o output.tag`\n\n    - If you want to skip the validation process, provide the `--novalidation` flag, like so:\n      `pyspdxtools -i tests/spdx/data/SPDXJSONExample-v2.3.spdx.json -o output.tag --novalidation`\n  (use this with caution: note that undetected invalid documents may lead to unexpected behavior of the tool)\n\n    - For help use `pyspdxtools --help`\n\n3. **GRAPH GENERATION** (optional feature)\n\n    - This feature generates a graph representing all elements in the SPDX document and their connections based on the provided\n      relationships. The graph can be rendered to a picture. Below is an example for the file `tests/spdx/data/SPDXJSONExample-v2.3.spdx.json`:\n      ![SPDXJSONExample-v2.3.spdx.png](assets/SPDXJSONExample-v2.3.spdx.png)\n\n    - Make sure you install the optional dependencies `networkx` and `pygraphviz`. To do so run `pip install \".[graph_generation]\"`.\n    - Use `pyspdxtools -i \u003cinput_file\u003e --graph -o \u003coutput_file\u003e` where `\u003coutput_file\u003e` is an output file name with valid format for `pygraphviz` (check\n      the documentation [here](https://pygraphviz.github.io/documentation/stable/reference/agraph.html#pygraphviz.AGraph.draw)).\n    - If you are using a source distribution, try running\n      `pyspdxtools -i tests/spdx/data/SPDXJSONExample-v2.3.spdx.json --graph -o SPDXJSONExample-v2.3.spdx.png` to generate\n      a png with an overview of the structure of the example file.\n\n### Library usage\n\n1. **DATA MODEL**\n\n    - The `spdx_tools.spdx.model` package constitutes the internal SPDX v2.3 data model (v2.2 is simply a subset of this). All relevant classes for SPDX document creation are exposed in the `__init__.py` found [here](src%2Fspdx_tools%2Fspdx%2Fmodel%2F__init__.py).\n    - SPDX objects are implemented via `@dataclass_with_properties`, a custom extension of `@dataclass`.\n    - Each class starts with a list of its properties and their possible types. When no default value is provided, the property is mandatory and must be set during initialization.\n    - Using the type hints, type checking is enforced when initializing a new instance or setting/getting a property on an instance\n      (wrong types will raise `ConstructorTypeError` or `TypeError`, respectively). This makes it easy to catch invalid properties early and only construct valid documents.\n    - Note: in-place manipulations like `list.append(item)` will circumvent the type checking (a `TypeError` will still be raised when reading `list` again). We recommend using `list = list + [item]` instead.\n    - The main entry point of an SPDX document is the `Document` class from the [document.py](src%2Fspdx_tools%2Fspdx%2Fmodel%2Fdocument.py) module, which links to all other classes.\n    - For license handling, the [license_expression](https://github.com/nexB/license-expression) library is used.\n    - Note on `documentDescribes` and `hasFiles`: These fields will be converted to relationships in the internal data model. As they are deprecated, these fields will not be written in the output.\n\n2. **PARSING**\n\n    - Use `parse_file(file_name)` from the `parse_anything.py` module to parse an arbitrary file with one of the supported file endings.\n    - Successful parsing will return a `Document` instance. Unsuccessful parsing will raise `SPDXParsingError` with a list of all encountered problems.\n\n3. **VALIDATING**\n\n    - Use `validate_full_spdx_document(document)` to validate an instance of the `Document` class.\n    - This will return a list of `ValidationMessage` objects, each consisting of a String describing the invalidity and a `ValidationContext` to pinpoint the source of the validation error.\n    - Validation depends on the SPDX version of the document. Note that only versions `SPDX-2.2` and `SPDX-2.3` are supported by this tool.\n\n4. **WRITING**\n\n    - Use `write_file(document, file_name)` from the `write_anything.py` module to write a `Document` instance to the specified file.\n    The serialization format is determined from the filename ending.\n    - Validation is performed per default prior to the writing process, which is cancelled if the document is invalid. You can skip the validation via `write_file(document, file_name, validate=False)`.\n    Caution: Only valid documents can be serialized reliably; serialization of invalid documents is not supported.\n\n### Example\n\nHere are some examples of possible use cases to quickly get you started with the spdx-tools.\nIf you want more examples, like how to create an SPDX document from scratch, have a look [at the examples folder](examples).\n\n```python\nimport logging\n\nfrom license_expression import get_spdx_licensing\n\nfrom spdx_tools.spdx.model import (Checksum, ChecksumAlgorithm, File,\n                                   FileType, Relationship, RelationshipType)\nfrom spdx_tools.spdx.parser.parse_anything import parse_file\nfrom spdx_tools.spdx.validation.document_validator import validate_full_spdx_document\nfrom spdx_tools.spdx.writer.write_anything import write_file\n\n# read in an SPDX document from a file\ndocument = parse_file(\"spdx_document.json\")\n\n# change the document's name\ndocument.creation_info.name = \"new document name\"\n\n# define a file and a DESCRIBES relationship between the file and the document\nchecksum = Checksum(ChecksumAlgorithm.SHA1, \"71c4025dd9897b364f3ebbb42c484ff43d00791c\")\n\nfile = File(name=\"./fileName.py\", spdx_id=\"SPDXRef-File\", checksums=[checksum],\n            file_types=[FileType.TEXT],\n            license_concluded=get_spdx_licensing().parse(\"MIT and GPL-2.0\"),\n            license_comment=\"licenseComment\", copyright_text=\"copyrightText\")\n\nrelationship = Relationship(\"SPDXRef-DOCUMENT\", RelationshipType.DESCRIBES, \"SPDXRef-File\")\n\n# add the file and the relationship to the document\n# (note that we do not use \"document.files.append(file)\" as that would circumvent the type checking)\ndocument.files = document.files + [file]\ndocument.relationships = document.relationships + [relationship]\n\n# validate the edited document and log the validation messages\n# (depending on your use case, you might also want to utilize the validation_message.context)\nvalidation_messages = validate_full_spdx_document(document)\nfor validation_message in validation_messages:\n    logging.warning(validation_message.validation_message)\n\n# if there are no validation messages, the document is valid\n# and we can safely serialize it without validating again\nif not validation_messages:\n    write_file(document, \"new_spdx_document.rdf\", validate=False)\n```\n\n## Quickstart to SPDX 3.0\n\nIn contrast to SPDX v2, all elements are now subclasses of the central `Element` class.\nThis includes packages, files, snippets, relationships, annotations, but also SBOMs, SpdxDocuments, and more.\nFor serialization purposes, all Elements that are to be serialized into the same file are collected in a `Payload`.\nThis is just a dictionary that maps each Element's SpdxId to itself.\nUse the `write_payload()` functions to serialize a payload.\nThere currently are two options:\n\n- The `spdx_tools.spdx3.writer.json_ld.json_ld_writer` module generates a JSON-LD file of the payload.\n- The `spdx_tools.spdx3.writer.console.payload_writer` module prints a debug output to console. Note that this is not an official part of the SPDX specification and will probably be dropped as soon as a better standard emerges.\n\nYou can convert an SPDX v2 document to v3 via the `spdx_tools.spdx3.bump_from_spdx2.spdx_document` module.\nThe `bump_spdx_document()` function will return a payload containing an `SpdxDocument` Element and one Element for each package, file, snippet, relationship, or annotation contained in the v2 document.\n\n## Dependencies\n\n- PyYAML: \u003chttps://pypi.org/project/PyYAML/\u003e for handling YAML.\n- xmltodict: \u003chttps://pypi.org/project/xmltodict/\u003e for handling XML.\n- rdflib: \u003chttps://pypi.python.org/pypi/rdflib/\u003e for handling RDF.\n- ply: \u003chttps://pypi.org/project/ply/\u003e for handling tag-value.\n- click: \u003chttps://pypi.org/project/click/\u003e for creating the CLI interface.\n- beartype: \u003chttps://pypi.org/project/beartype/\u003e for type checking.\n- uritools: \u003chttps://pypi.org/project/uritools/\u003e for validation of URIs.\n- license-expression: \u003chttps://pypi.org/project/license-expression/\u003e for handling SPDX license expressions.\n\n## Support\n\n- Submit issues, questions or feedback at \u003chttps://github.com/spdx/tools-python/issues\u003e\n- Join the chat at \u003chttps://gitter.im/spdx-org/Lobby\u003e\n- Join the discussion on \u003chttps://lists.spdx.org/g/spdx-tech\u003e and\n  \u003chttps://spdx.dev/participate/tech/\u003e\n\n## Contributing\n\nContributions are very welcome! See [CONTRIBUTING.md](./CONTRIBUTING.md) for instructions on how to contribute to the\ncodebase.\n\n## History\n\nThis is the result of an initial GSoC contribution by @[ah450](https://github.com/ah450)\n(or \u003chttps://github.com/a-h-i\u003e) and is maintained by a community of SPDX adopters and enthusiasts.\nIn order to prepare for the release of SPDX v3.0, the repository has undergone a major refactoring during the time from 11/2022 to 07/2023.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspdx%2Ftools-python","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspdx%2Ftools-python","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspdx%2Ftools-python/lists"}