SPDX Software Bill of Materials

SPDX (Software Package Data Exchange) is an open standard for communicating software bill of materials (SBOM) information, including components, licenses, copyrights, security references, and other metadata about software packages. Maintained by the Linux Foundation's SPDX Project since 2011, SPDX became an ISO/IEC standard (ISO/IEC 5962:2021) and is recognized as a key compliance tool by the US National Telecommunications and Information Administration (NTIA) and the EU Cyber Resilience Act. Key features include: standardized format (JSON, YAML, RDF, tag-value, and XLSX formats for representing SBOM data with consistent fields and relationships), component identification (unique identifiers for packages including Package URL (PURL), Software Heritage identifiers, CPE, and SWID tags), license expression (full SPDX License List with over 600 standardized license identifiers, plus license expression syntax for complex licensing including AND, OR, and WITH exceptions), relationship modeling (documenting dependencies, file-to-package relationships, snippets, and cross-references between SBOM documents), checksums and hashes (SHA-1, SHA-256, and MD5 hashes for integrity verification of files and packages), provenance information (supplier, originator, download location, and verification codes for supply chain traceability), annotation and review (reviewer comments, annotation types, and timestamped annotations for collaborative SBOM review), versioning (specification versioning with backward compatibility and deprecation policies), tooling ecosystem (open-source tools including SPDX Tools Java, spdx-tools-python, bom, syft, and trivy for generating, validating, and converting SBOMs), and compliance use cases (open-source license compliance, security vulnerability tracking, M and A due diligence, and regulatory compliance with executive orders and cyber resilience legislation).