The open encyclopedia for Software Bill of Materials
The Software Package Data Exchange standard has undergone a major revision. Learn what changed in the data model, new profile support, and how to migrate existing SPDX 2.3 documents to the latest specification.
A practical comparison of the two most popular open-source SBOM generators.
What the Cybersecurity and Infrastructure Security Agency expects from federal suppliers.
From generation to consumption: managing SBOMs across the software supply chain.
Quick-reference guide to every field in the CycloneDX 1.6 specification.
The two dominant SBOM formats serve different ecosystems. Choose based on your compliance requirements and toolchain.
ISO/IEC 5962:2021 standard maintained by the Linux Foundation. Focused on license compliance and provenance tracking.
OWASP-maintained standard optimized for security use cases, vulnerability tracking, and software composition analysis.
SPDX is an open standard for communicating software bill of material information, including provenance, licensing, and security references. Maintained by the Linux Foundation, it has become an ISO standard (ISO/IEC 5962:2021) and is widely adopted across the software supply chain.
SPDX documents can be represented in multiple formats including JSON, RDF/XML, Tag-Value, and YAML.
SPDX originated in 2010 as a Linux Foundation project to standardize how software package metadata, including licensing information, is shared. The specification reached version 2.0 in 2015 and was accepted as an ISO standard in August 2021. Version 3.0, released in 2024, introduced a profile-based architecture supporting Security, Licensing, Build, AI, and Dataset profiles.
An SPDX document consists of a creation information section, package information, file information, snippet information, and relationship descriptions. The 3.0 model introduces Elements, Artifacts, and Relationships as core abstractions, allowing extensible profiles to add domain-specific metadata.
SPDXVersion: SPDX-3.0 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: example-sbom DocumentNamespace: https://example.org/sbom/v1 Creator: Tool: sbom-generator-1.0
The minimum viable SPDX document requires: SPDXVersion, DataLicense (always CC0-1.0), SPDXID, DocumentName, DocumentNamespace, and at least one Creator entry. Packages additionally require PackageName, SPDXID, and PackageDownloadLocation.
Popular tools for generating and consuming SPDX documents include Syft (Anchore), FOSSology, SPDX Online Tools, and the official SPDX Java/Python libraries. Most modern CI/CD platforms can generate SPDX SBOMs natively or through plugins.
This encyclopedia is community-maintained under a CC BY-SA 4.0 license. Every article can be improved, and new entries are always welcome. Join hundreds of contributors documenting the software supply chain.