.. _spdx:

*************************************
Software Package Data Exchange (SPDX)
*************************************


SPDX is an open standard for communicating SBOM information, including components, licenses, copyright, and security references. It was initiated as a part of the Linux Foundation’s `Open Compliance Program <https://compliance.linuxfoundation.org>`_ and is an official ISO-approved standard.

For full detail, please see the `SPDX specification documentation <https://spdx.dev>`_.

Latest ISO Approved Version
###########################

`SPDX 2.2 <https://spdx.github.io/spdx-spec/v2.2.2/>`_ is currently the latest ISO approved version.

Latest version
##############

`SPDX 2.3 <https://spdx.github.io/spdx-spec/v2.3/>`_ is the latest published version of the spec.

Upcoming
########

The upcoming SPDX model updates can be found in the `SPDX 3 model <https://github.com/spdx/spdx-3-model>`_ GitHub repository.
Profiles within SPDX v3+ are considered valid SPDX documents and there is no operational restriction on how one may choose to combine them.

SPDX Lite
#########

SPDX supports a `Lite <https://spdx.github.io/spdx-spec/v2.3/SPDX-Lite/>`_ version which is a a subset of the SPDX specification. The SPDX Lite profile consists of mandatory fields from the Document Creation and Package Information sections and other basic information.