SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.
The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information.
The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by three sub-groups: the tech team, the legal team, and the outreach team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.
The SPDX project is composed of:
- The SPDX Specification itself
- The SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax)
- SPDX tools and libraries for working with the SPDX documents and SPDX License List
- SPDX represents data in formats that are both machine- and human-readable.
- SPDX focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
- SPDX makes no legal interpretations (of licenses or license compliance).
- SPDX facilitates the efficient exchange of metadata in the supply chain
SPDX Continuously Improves
- 2010/02 — specification drafting began in a work-group of FOSSBazaar under Linux Foundation that came to be called “SPDX,” was originally referred to as Package Facts.
- 2010/08 — “SPDX” announced as one of the pillars of the Linux Foundation’s Open Compliance Program.
- 2011/08 — SPDX 1.0 specification handles packages.
- 2012/08 – SPDX 1.1 specification – fixed flaw in verification algorithm
- 2013/10 – SPDX 1.2 specification – improved interaction with license list, additional fields for documenting project info.
- 2015/05 — SPDX 2.0 specification added ability to handle multiple packages, relationships between packages and files, annotations.
- 2016/08 — SPDX 2.1 specification added snippets, support for associating packages with external reference sources of information about packages, using SPDX License identifiers in files.
- 2019/06 — SPDX 2.1.1 – conversion of specification from Google Docs to GitHub as repository.
- 2020/05 — SPDX 2.2 Includes SPDX-lite, satisfying NTIA minimum SBOM element requirements.
- 2020/08 — SPDX 2.2.1 prepared for submission to ISO.
- 2021/02 — CISQ Tool-to-Tool SBOM effort (3T SBOM) merged with SPDX 3.0 effort – Linux Foundation re-charters SPDX to have more formal governance, IP policies, and agrees to have OMG AB approve model and then jointly submit to ISO Fast PAS.
- 2021/08 — ISO/IEC 5962 available.
- 2022/08 — SPDX 2.3 published to improve interoperability with other formats.
- 2023/Q2 — SPDX 3.0 release candidate and prototyping in progress.
- 2023/05 — 2023/05 SPDX 3.0-rc1 candidate with new Security, Build, Data and AI profiles released.