The Linux Foundation Projects
Skip to main content

System Package Data Exchange (SPDX®)

An open standard describing SBOMs (Software Bill of Materials), communicating a release: name, version, components, licenses, copyrights, and useful security references. As a common format, SPDX reduces redundant work related to sharing important release data, thereby streamlining distribution and compliance.

The SPDX specification is a freely available international open standard (ISO/IEC 5692:2021).

Learn More

Learn

Learn more about the structure of SPDX and how to participate.

ABOUT SPDX

Use

Explore the ways that you can engage with SPDX.

USE SPDX

Tools

SPDX workgroup tools and others you can use.

SPDX TOOLS

Areas of Interest

SPDX is organized in areas of interest or profiles focused on specific user needs.

Supported by These Foundations

Latest SPDX News

Nov 6, 2023

Capturing Software Vulnerability Data in SPDX 3.0

The flexibility of SPDX 3.0 allows users to either link SBOMs to external security vulnerability data or to embed security vulnerability information in the SPDX 3.0 data format, thanks to support for a security-specific profile. This is different from SPDX version 2, which enabled users to link an SBOM to…

Oct 9, 2023

Understanding SPDX Profiles

On the surface, profiles are pretty straight forward - they are a way of organizing a specification that covers a broad array of use cases into “profiles” more specific to what a specific producer or consumer of SPDX data may be interested in. 

SPDX Supporters