Software Package Data Exchange (SPDX)

SPDX is an open standard for communicating SBOM information, including components, licenses, copyright, and security references. It was initiated as a part of the Linux Foundation’s Open Compliance Program and is an official ISO-approved standard.

For full detail, please see the SPDX specification documentation.

Latest ISO Approved Version

SPDX 2.2 is currently the latest ISO approved version.

Latest version

SPDX 2.3 is the latest published version of the spec.


The upcoming SPDX model updates can be found in the SPDX 3 model GitHub repository. Profiles within SPDX v3+ are considered valid SPDX documents and there is no operational restriction on how one may choose to combine them.


SPDX supports a Lite version which is a a subset of the SPDX specification. The SPDX Lite profile consists of mandatory fields from the Document Creation and Package Information sections and other basic information.