LFSPDX has become the de facto standard for communicating software bill of materials (SBOM) information across the software supply chain. Recognized internationally as ISO/IEC 5962:2021, it provides a common language for describing software components, their licenses, security references, and provenance data, enabling organizations to manage compliance and security risk at scale.
Background
The SPDX project originated in 2010 under the Linux Foundation, motivated by the need to reduce friction in open-source license compliance. The first specification (v1.0) was released in August 2011, focused on describing packages and their associated licenses. Over successive versions the scope broadened: v2.0 (2015) introduced multi-package documents and inter-package relationships, v2.1 (2016) added snippet-level descriptions and external references to CVEs, and v2.2 introduced SPDX-lite for minimal SBOMs. SPDX 2.2.1 was published as ISO/IEC 5962:2021 in August 2021, cementing its position as an international standard.
Purpose & Scope
SPDX enables producers and consumers of software to exchange accurate, machine-readable metadata about software components. Key use cases include open-source license compliance, software supply-chain transparency, vulnerability tracking, and regulatory reporting (such as U.S. NTIA minimum SBOM requirements). The standard describes packages, files, snippets, and the relationships between them, along with licensing expressions and security references.
Version 3.0 Architecture
SPDX 3.0, released in April 2024, introduced a fundamental architectural shift. The data model is now based on RDF, and all elements can be expressed and referenced independently without requiring a containing document. A profile system allows users to define data for specific use cases without increasing overall complexity:
| Profile | Coverage |
|---|---|
| Core | Foundational concepts common to all profiles |
| Software | Software artifact descriptions |
| Security | Security-related metadata (CVEs, advisories) |
| Build | Build provenance and reproducibility |
| AI | AI system and model descriptions |
| Dataset | Dataset characteristics and access methods |
| Licensing | License compliance information |
| Lite | Minimal subset for lightweight workflows |
Serializations & Technical Formats
SPDX documents can be expressed in multiple formats. Version 2.x supported JSON, YAML, RDF/XML, tag-value, and spreadsheet formats. Version 3.0 supports all RDF 1.1 serializations including JSON-LD, Turtle, N-Triples, and RDF/XML.
SPDX License List
A key companion to the specification is the SPDX License List, which assigns short identifiers (e.g., MIT, Apache-2.0, GPL-3.0-only) to common open-source licenses. These identifiers are widely adopted in package managers including npm, Python (PEP 639), Rust Cargo, and Fedora RPM metadata.
Governance & Maintenance
SPDX is maintained by the community-driven SPDX Project, hosted under the Linux Foundation. Development occurs openly on GitHub with contributions from industry experts and open-source practitioners. The latest patch release, v3.0.1, was published in December 2024.
Notable Implementations
SPDX license identifiers are embedded in millions of source code files across the open-source ecosystem. The Linux kernel adopted SPDX identifiers project-wide. Major package ecosystems (npm, PyPI, crates.io) use SPDX license expressions in their metadata. The FSFE's REUSE project provides tooling for SPDX-based copyright and license annotation.
Related Standards
- CycloneDX -- An alternative SBOM format focused on security and vulnerability tracking
- ISO/IEC 5962:2021 -- The ISO publication of SPDX 2.2.1