ilans
ilans
From [ContentIdentifier](https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/ContentIdentifier/): > [implicit] The contentIdentifierValue must match the selected contentIdentifierType. Suggested SHACL shapes: ```ttl @prefix sh: . @prefix spdxcore: . @prefix spdxsw: . @prefix spdxswcontid: . spdxcore:ContentIdentifierValueShape a sh:NodeShape...
From [Relationship](https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/Relationship/): > To explicitly assert that no such relationships exist, the to property should contain the NoneElement individual and no other elements. Suggested SHACL shapes: ```ttl @prefix sh: ....
From [packageVerificationCodeExcludedFile](https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Properties/packageVerificationCodeExcludedFile/): > Every filename is preceded with a ./ Suggested SHACL shapes: ```ttl @prefix xsd: . @prefix sh: . @prefix spdxcore: . spdxcore:PackageVerificationCodeExcludedFileShape a sh:PropertyShape ; sh:targetSubjectsOf spdxcore:packageVerificationCodeExcludedFile ;...
From [DictionaryEntry](https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/DictionaryEntry/): > To implement a dictionary, this class is to be used in a collection with unique keys. Suggested SHACL shapes: ```ttl @prefix sh: . @prefix spdxbuild: . spdxbuild:Build...
In `Build` class: > `ExternalIdentifier` of type "urlScheme" may be used to identify build logs. In this case, the comment of the `ExternalIdentifier` should be "LogReference". What's "LogReference"?
From [PositiveIntegerRange](https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/PositiveIntegerRange/): > "beginIntegerRange" must be less than or equal to "endIntegerRange" Suggested SHACL shapes: ```ttl @prefix sh: . @prefix xsd: . @prefix spdxcore: . spdxcore:PositiveIntegerRange sh:property [ sh:path spdxcore:beginIntegerRange...
In [VexNotAffectedVulnAssessmentRelationship](https://spdx.github.io/spdx-spec/v3.0.1/model/Security/Classes/VexNotAffectedVulnAssessmentRelationship/): > Both impactStatement and justificationType properties have a cardinality of 0..1 making them optional. Nevertheless, to produce a valid VEX not_affected statement, one of them MUST be defined....
The Licensing profile states that: > If the hasConcludedLicense for a Software Artifact is not the same as its hasDeclaredLicense, a written explanation SHOULD be provided in the hasConcludedLicense relationship...
From /Security/exploited: "This field is set when a CVE is listed in an exploit catalog." But it is mandatory in `ExploitCatalogVulnAssessmentRelationship` together with `catalogType` and `locator`. So isn’t it always...
**From [SpdxDocument](https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/SpdxDocument/):** > Any instance of serialization of SPDX data MUST NOT contain more than one SpdxDocument element definition. **Suggested rule**: ```ttl [ a sh:NodeShape ; sh:targetNode ; sh:property [...