SBOM Starter Kit: Get Your Copy
SPDX (System Packet Data Exchange, formerly Software Packet Data Exchange) is an open standard for conveying SBOM (software bill of materials) data. It can be used to communicate metadata related to software packages, files, and snippets (or a combination of these elements).
SPDX is one of two full-stack SBOM formats (CycloneDX is the other) approved in the U.S. federal government’s May 2021 cybersecurity executive order. Additionally, in September 2021, SPDX was published as ISO/IEC 5962:2021, making it an internationally recognized SBOM standard. These factors, along with a global increase in SBOM adoption, have made SPDX an increasingly important and valuable tool in helping organizations understand and manage their software supply chains.
The current version of SPDX is 3.0; it was published in April, 2024. This followed the release of SPDX 2.3 in August, 2022. Although SPDX was originally created to primarily serve open source license compliance use cases, it now supports a wide variety of purposes related to security, regulatory compliance, license compliance, and beyond. SPDX documents can also be created in a wide variety of file formats, including JSON and YAML.
In this guide, we’ll provide an overview of SPDX, including top use cases, document structure, the latest version of the specification, and generating SPDX SBOMs.
In February 2010, a Linux Foundation working group (FOSSBazaar) began working on the first version of SPDX, though, at the time, the project was titled “Package Facts.” A few months later, in August 2010, the Linux Foundation announced that SPDX would be one of the pillars of its Open Compliance Program.
The first version of the SPDX specification (SPDX 1.0) was released in August 2011. The subsequent SPDX 1.1 (August 2012) and SPDX 1.2 (October 2013) addressed an issue with the specification’s verification algorithm and added support for additional data fields (such as author credits and project homepage).
Next came SPDX 2.0, which was released in May 2015. This was a significant update to the specification and included support for annotations, package-file relationships, and the ability to handle multiple packages.
SPDX added significant security utility in 2016 with the release of SPDX 2.1 and support for external references, such as to security advisories and vulnerability feeds. SPDX 2.2 (published in 2020) introduced SPDX Lite (a subset of the specification with mandatory document creation and package information as well as certain other licensing data fields) and added several new supported file formats. The current 2.3 (published in August 2022) added more external reference types (to strengthen the security use case) and improved ease of use by making certain previously mandatory licensing properties optional, among other changes.
The next version of SPDX will be 3.0. The publication date is still to be determined, but, in May 2023, SPDX announced the Release Candidate for the model. The most impactful innovation in SPDX 3.0 is that it will expand on the concept of “Profiles,” which are, essentially, condensed versions of the format intended for specific use cases. SPDX Lite is an example of an existing profile; SPDX 3.0 will separate licensing and security into separate profiles and introduce additional profiles for AI, data, and software build information.
SPDX can be used to describe several types of software components: packages, files, and code snippets. The specification includes a wide variety of data fields for each type of component, including name, copyright information, licensing information, and many others. SPDX documents can also be created in a broad range of file formats: .xlsx spreadsheets, YAML, JSON, RDF, XML, and tag:value. (SPDX describes tag:value as a “flat text file,” and it’s a registered MIME type.)
With that said, regulatory compliance is obviously a common SPDX use case, so let's explore the NTIA's SBOM minimum required elements and how those map to SPDX data fields. (Note that the NTIA’s minimum elements are only required for organizations selling into the U.S. federal government and/or going through the FDA premarket review process, but they do tend to be included in most SBOMs.)
Author of SBOM Data: This maps to SPDX’s “createdBy” data field (in the "Core/CreationInfo” class).
Timestamp: This maps to SPDX’s “created” data field (in the "Core/CreationInfo” class).
Supplier Name: Which person or organization supplied the package to the producer. This should be an individual or entity rather than a host website. “Supplier Name” maps to SPDX’s “suppliedBy” data field (in the Core/Artifact class).
Component Name: This maps to SPDX’s “name” data field (in the Software/Packages class).
Version of the Component: This maps to SPDX’s “packageVersion” data field (in the Software/Packages class).
Other Unique Identifiers: This can potentially map to several SPDX fields, but "packageUrl" (in the Software/Packages class) may be the most applicable/commonly used.
Dependency Relationship: This is used to describe the relationship between different elements, such as one being a dependency of another (or one containing another). This maps to SPDX’s “Relationship” class in the "Core" namepsace.
Today, SPDX has multiple important use cases, including security, open source license compliance, software transparency and maintainability, and regulatory compliance. As mentioned, when selling into the federal government, software suppliers are required to produce an SBOM in a human- and machine-readable format (like SPDX) to accompany each product.
Here, we’ll briefly explore two of the most popular SPDX use cases: security and open source license compliance.
SPDX began directly supporting the security use case in 2016 with the release of v2.1. This version of the spec added “External References,” which offer the ability to link to external security information. With the release of v3.0, SPDX supports both embedding security information directly in the SBOM and linking to external references.
Specifically, SPDX 3.0 supports vulnerability data fields like EPSS score, CVSS score, SSVC, VEX status justifications, and more. It also enables you to link to external documents like SWID and CPE (using the "ExternalIdentifiers") field and other references like CWEs, security advisories, vulnerability disclosure reports, and more (using the "External References" field).
License compliance has been an SPDX use case since the standard was created over a decade ago, and it remains the case today. The specification has several data fields that can be used to communicate licensing information. This includes “copyright text” (to identify the component’s copyright holder and any applicable dates) and “package attribution text” to provide other required acknowledgements.
There are also “concluded” and “declared” license fields, which differ in the following ways:
Declared license: The license(s) stated by the component author (i.e. file author or package author)
Concluded license: The license as determined by the SPDX document creator (or, in many cases, a scanning tool that document creator uses). The concluded license can differ from the declared license for any number of reasons, including the possibility that the component author mistakenly assigned a permissive license when they should have assigned a copyleft license. If the concluded and declared licenses don’t match, there’s another field (“Comments on license”) where the SBOM creator can add context or an explanation.
SPDX 3.0 introduced the concept of use case-specific profiles. These allow software producers to create SBOMs that are simpler and more tailored for their specific use case(s). As you might expect, security and open source license compliance are two of these profiles. The other three are:
There are multiple ways to generate an SPDX SBOM, but we recommend organizations do so during the build process. Creating your SBOM during the build will generally result in a more accurate component inventory.
With FOSSA, you can easily generate an SPDX SBOM in the JSON or tag:value file formats. Here’s how:
Step 1: Get started by creating a free FOSSA account.
Step 2: Import your project(s) by integrating with a VCS like GitHub or using our CLI
Step 1: Click on “Projects” in the header menu
Step 2: Select the Project for your SBOM
Step 3: Click on the “Generate a Compliance Report” button in the “Actions” menu
Step 4: Check the box for your preferred SPDX export format
Step 5: Decide which elements to include in your report — you can do this by checking (or unchecking) boxes in the “Customize Report Information” and “Edit Dependency Info” menus.
Step 6: Generate your report — either download a copy to distribute yourself, or create a public link for your file
To generate an SPDX SBOM from the FOSSA CLI, you’ll need to run an additional report command after analyzing your project. For example:
export FOSSA_API_KEY=XXXXXXXX (needs to be a full API key)
fossa analyze && fossa report attribution --format spdx > file.json
In addition to SPDX, FOSSA supports CycloneDX and several other SBOM formats. For more information (or to access our full suite of SBOM features with a paid account), please reach out to our team.