add Lite profile examples

[NorioKobota]

We implemented three samples that show how to use Lite Profile.
We would appriciate your review.

[JPEWdev]

The CI with likely find many more problems once it runs. I'll admit that the output of the checks, while very through, can be difficult to interpret. If you run into trouble getting these to pass CI, let me know and I can help interpret the errors.

Overall, the structure of these documents seems fine, they just need to conform to the JSON schema and SHACL model (which is done by CI) and they should be OK

[JPEWdev]

This is the example context URL, the actual URL needs to be used now, which is:

"@context": "https://spdx.github.io/spdx-spec/v3.0/model/spdx-context.jsonld"

[JPEWdev]

http://spdx.example.com/Document/1 is not a good example spdxId. An SPDX ID needs some universally unique identifier, and SPDX has a defined URL prefix of https://spdx.org/spdxdocs/ for the case where the producer doesn't have their own domain. Thus, your spdx ID should probably look something like:

"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Document/1"

The https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/ prefix can be reused for all the other objects in this document keeping the existing scheme of appending the type and an index if you desire.

[JPEWdev]

I believe this has to be an array to validate:

"rootElement": [ "http://spdx.example.com/Sbom/1" ],

[JPEWdev]

This namespace map is not used in the document, so please remove it for clarity

[JPEWdev]

Object types are always prefixed by their namespace (e.g. profile) unless they are from core, so this needs to be:

"type": "software_Sbom",

[NorioKobota]

Thanks! I will fix them.
Just curious, why prefix these with profile names?
In particular, JSON is structured, and I personally think that it is possible to understand the context depending on which closure contains the same key value.
If there are discussions in the past, I would appreciate it if you could give me pointers.

[JPEWdev]

Property names are always prefix by their namespace (e.g. profile) unless they are from core, so this needs to be:

"software_sbomType": [ "build" ],

Also be aware that SPDX 3.0 JSON doesn't allow array eliding, so if a property has any max ordinality other than 1, it must be an array in JSON, even if it only contains one item.

[JPEWdev]

Just suppliedBy for the property name. Namespacing of properties and types is handled as described above

[no-ta]

"/Core/suppliedBy" is the description in the SPDX specification as follows.
How can I modify this, is it acceptable to remove "/Core/"?

/Core/suppliedBy
type: /Core/Agent
minCount: 0
maxCount: 1

[JPEWdev]

Yes, in this case it's just Agent, it's important to remember that the names of objects and properties in the "model" described in the SPDX 3 spec are not the same as the types and property names used in any given serialization format. The serialization formats have different rules for how to translate the model names to types and properties. The JSON rules are described in my other comments, but to be explicit, it is:

Object types and properties from the Core namespace have no prefix (e.g. /Core/Agent is Agent). Object types and properties from other namespaces are prefixed by a lower case version of the namespace + "_" (e.g. /Software/Sbom is software_Sbom, /Software/sbomType is software_sbomType).

[JPEWdev]

And to be clear, the namespace of the object type is irrelevent to the naming of properties. For example, even though this software_Sbom object is in the Software namespace, the exact same rules described above apply to all its properties, so it's just suppliedBy not core_suppliedBy, and software_sbomType not sbomType.

The reason for this is that the mapping of type names and properties is context-free (e.g. global), so it doesn't depend on which specific object the property is found in.

[no-ta]

Thank you for your clarification.
I can understand how to describe json format from the specification.

[NorioKobota]

The reason for this is that the mapping of type names and properties is context-free (e.g. global), so it doesn't depend on which specific object the property is found in.

I don’t fully understand it yet, but I understand this is the answer for this comment. #91 (comment)
Thanks.

[JPEWdev]

This document needs two things to be checked by CI:

1. It needs to have a ".json" extension instead of ".jsonld"
2. It needs to existing in a "spdx-3.0" directory

As such, I would recommend naming this file: lite/example1-with-VEX/spdx-3.0/Lite-example-1-1-with-VEX.spdx.json and naming the other examples in this PR similarly

[bact]

@NorioKobota do you mind to move all SPDX JSON files from spdx-3.0/ folder to spdx3.0/ folder please? Thank you

The current workflow is now looking for files in spdx3.0/ (to make is consistent with previous spdx2.0/).

spdx-examples/.github/workflows/pull_request.yml

Line 74 in 6a5d3a0

for f in $(find . -type f -path '*/spdx3.0/*.json'); do

[NorioKobota]

@bact Sure.
I will do it and the rest of the change request. Sorry for the late reply.
Thanks!

[bact]

Suggested change

	"type": "simpleLicensing_LicenseExpression",
	"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
	"creationInfo": "_:creationinfo",
	"simpleLicensing_licenseExpression": "GPL-2.0-only",
	"simpleLicensing_licenseListVersion": "3.23.0"
	"type": "simplelicensing_LicenseExpression",
	"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
	"creationInfo": "_:creationinfo",
	"simplelicensing_licenseExpression": "GPL-2.0-only",
	"simplelicensing_licenseListVersion": "3.23.0"

[bact]

Suggested change

	"type": "simpleLicensing_LicenseExpression",
	"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
	"creationInfo": "_:creationinfo",
	"simpleLicensing_licenseExpression": "MIT",
	"simpleLicensing_licenseListVersion": "3.23.0"
	"type": "simplelicensing_LicenseExpression",
	"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
	"creationInfo": "_:creationinfo",
	"simplelicensing_licenseExpression": "MIT",
	"simplelicensing_licenseListVersion": "3.23.0"

[bact]

Suggested change

	"type": "simpleLicensing_LicenseExpression",
	"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
	"creationInfo": "_:creationinfo",
	"simpleLicensing_licenseExpression": "MIT",
	"simpleLicensing_licenseListVersion": "3.23.0"
	"type": "simplelicensing_LicenseExpression",
	"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
	"creationInfo": "_:creationinfo",
	"simplelicensing_licenseExpression": "MIT",
	"simplelicensing_licenseListVersion": "3.23.0"

[bact]

Suggested change

	"type": "simpleLicensing_LicenseExpression",
	"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
	"creationInfo": "_:creationinfo",
	"simpleLicensing_licenseExpression": "MIT",
	"simpleLicensing_licenseListVersion": "3.23.0"
	"type": "simplelicensing_LicenseExpression",
	"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
	"creationInfo": "_:creationinfo",
	"simplelicensing_licenseExpression": "MIT",
	"simplelicensing_licenseListVersion": "3.23.0"

[NorioKobota]

@bact
I believe I have fixed everything except dataLicense, could you please review it?
Also, is there an example of how to write dataLicense somewhere?

[bact]

Thank you. Few minor changes suggested. After this I think we are good to go.

[NorioKobota]

Thank you so much for the review.
I confirmed and committed your suggestions.

[bact]

Thank you @NorioKobota and @no-ta . I think it's pretty much all good.

Now we need a maintainer to approve the validation workflow - to let it pass the validation before merge.

(Note that I have removed all my suggestions that are already resolved, since they are too long, to make this PR easier to read)

[bact]

@zvr @goneall if you have some time to approve the workflow (for PR validation ), thank you.

[NorioKobota]

@bact Ah, sorry.
#91 (comment)
I believe I have fixed everything **except dataLicense**.
Could someone teach me how to implement?

[bact]

As there were changes in validation workflow/dependencies in April 2025 (and probably also after that), we may like to rerun the check to see if it pass now.