Software Package Data Exchange (SPDX)¶

SPDX is an open standard for communicating SBOM information, including components, licenses, copyright, and security references. It was initiated as a part of the Linux Foundation’s Open Compliance Program and is an official ISO-approved standard.

For full detail, please see the SPDX specification documentation.

Latest ISO Approved Version¶

SPDX 2.2 is currently the latest ISO approved version.

Latest version¶

SPDX 2.3 is the latest published version of the spec.

Upcoming¶

The upcoming SPDX model updates can be found in the SPDX 3 model GitHub repository. Profiles within SPDX v3+ are considered valid SPDX documents and there is no operational restriction on how one may choose to combine them.

SPDX Lite¶

SPDX supports a Lite version which is a a subset of the SPDX specification. The SPDX Lite profile consists of mandatory fields from the Document Creation and Package Information sections and other basic information.

Software Package Data Exchange (SPDX)¶

Latest ISO Approved Version¶

Latest version¶

Upcoming¶

SPDX Lite¶

SBOM Know How

Navigation

Related Topics