ISO 5962:2026(E)

ISO/TC ###/SC ##/WG #

Date: YYYY-MM-DD

Information Technology — SPDX® Specification V3.0

DIS stage

Attention Ballot Reviewers: This is a PAS submission. It does not completely adhere to the format and organization requirements of the ISO/IEC Directives Part 2, but that is no longer required. See “ISO/IEC Directives, Part 1, Consolidated JTC 1 Supplement 2024 — Procedures specific to JTC 1” F.3.4.2 and F.4.7.

© ISO 2026

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.

ISO copyright office

CP 401 • Ch. de Blandonnet 8

CH-1214 Vernier, Geneva

Phone: +41 22 749 01 11

Email: copyright@iso.org

Website: www.iso.org

Published in Switzerland

Contents

Foreword xiii

Introduction xiv

1 Scope 1

2 Normative references 1

3 Symbols 3

4 Terms and definitions 4

5 Conformance 4

5.1 Alternate notation for some conformance requirements 4

5.2 Introduction to profiles 5

5.3 Core profile compliance point 5

5.4 Software profile compliance point 5

5.5 Security profile compliance point 6

5.6 Licensing profile compliance point 6

5.7 Dataset profile compliance point 6

5.8 AI profile compliance point 6

5.9 Build profile compliance point 7

5.10 Lite profile compliance point 7

5.11 Extension profile compliance point 7

5.12 Trademark compliance 8

6 Model and serializations 8

6.1 Overview 8

6.2 RDF serialization 8

6.3 Canonical serialization 9

6.4 Serialization information 9

6.5 Serialization in SPDX 3 JSON 10

6.5.1 A strict subset of JSON-LD 10

6.5.2 JSON-LD context file 10

6.5.3 JSON-LD validation 10

7 Core 10

7.1 Profile information 10

7.1.1 Core profile 10

7.2 Classes 11

7.2.1 Agent 11

7.2.2 Annotation 11

7.2.3 Artifact 12

7.2.4 Bom 14

7.2.5 Bundle 15

7.2.6 CreationInfo 16

7.2.7 DictionaryEntry 16

7.2.8 Element 17

7.2.9 ElementCollection 18

7.2.10 ExternalIdentifier 19

7.2.11 ExternalMap 20

7.2.12 ExternalRef 21

7.2.13 Hash 21

7.2.14 IndividualElement 22

7.2.15 IntegrityMethod 23

7.2.16 LifecycleScopedRelationship 24

7.2.17 NamespaceMap 25

7.2.18 Organization 26

7.2.19 PackageVerificationCode 27

7.2.20 Person 28

7.2.21 PositiveIntegerRange 29

7.2.22 Relationship 29

7.2.23 SoftwareAgent 30

7.2.24 SpdxDocument 31

7.2.25 Tool 32

7.3 Properties 33

7.3.1 algorithm 33

7.3.2 annotationType 33

7.3.3 beginIntegerRange 34

7.3.4 builtTime 34

7.3.5 comment 34

7.3.6 completeness 35

7.3.7 contentType 35

7.3.8 context 36

7.3.9 created 36

7.3.10 createdBy 37

7.3.11 createdUsing 37

7.3.12 creationInfo 37

7.3.13 dataLicense 38

7.3.14 definingArtifact 39

7.3.15 description 39

7.3.16 element 39

7.3.17 endIntegerRange 40

7.3.18 endTime 40

7.3.19 extension 41

7.3.20 externalIdentifier 41

7.3.21 externalIdentifierType 41

7.3.22 externalRef 42

7.3.23 externalRefType 42

7.3.24 externalSpdxId 42

7.3.25 from 43

7.3.26 hashValue 43

7.3.27 identifier 44

7.3.28 identifierLocator 44

7.3.29 import 44

7.3.30 issuingAuthority 45

7.3.31 key 45

7.3.32 locationHint 45

7.3.33 locator 46

7.3.34 name 46

7.3.35 namespace 47

7.3.36 namespaceMap 47

7.3.37 originatedBy 47

7.3.38 packageVerificationCodeExcludedFile 48

7.3.39 prefix 48

7.3.40 profileConformance 48

7.3.41 relationshipType 49

7.3.42 releaseTime 49

7.3.43 rootElement 50

7.3.44 scope 50

7.3.45 spdxId 50

7.3.46 specVersion 51

7.3.47 standardName 51

7.3.48 startTime 52

7.3.49 statement 52

7.3.50 subject 52

7.3.51 summary 53

7.3.52 suppliedBy 53

7.3.53 supportLevel 54

7.3.54 to 54

7.3.55 validUntilTime 54

7.3.56 value 55

7.3.57 verifiedUsing 55

7.4 Vocabularies 56

7.4.1 AnnotationType 56

7.4.2 ExternalIdentifierType 56

7.4.3 ExternalRefType 57

7.4.4 HashAlgorithm 59

7.4.5 LifecycleScopeType 60

7.4.6 PresenceType 60

7.4.7 ProfileIdentifierType 60

7.4.8 RelationshipCompleteness 61

7.4.9 RelationshipType 62

7.4.10 SupportType 64

7.5 Individuals 65

7.5.1 NoAssertionElement 65

7.5.2 NoneElement 66

7.5.3 SpdxOrganization 66

7.6 Datatypes 66

7.6.1 DateTime 66

7.6.2 MediaType 67

7.6.3 SemVer 67

8 Software 68

8.1 Profile information 68

8.1.1 Software profile 68

8.2 Classes 68

8.2.1 ContentIdentifier 68

8.2.2 File 69

8.2.3 Package 70

8.2.4 Sbom 72

8.2.5 Snippet 73

8.2.6 SoftwareArtifact 74

8.3 Properties 76

8.3.1 additionalPurpose 76

8.3.2 attributionText 76

8.3.3 byteRange 77

8.3.4 contentIdentifier 77

8.3.5 contentIdentifierType 78

8.3.6 contentIdentifierValue 78

8.3.7 copyrightText 78

8.3.8 downloadLocation 79

8.3.9 fileKind 79

8.3.10 homePage 80

8.3.11 lineRange 80

8.3.12 packageUrl 81

8.3.13 packageVersion 81

8.3.14 primaryPurpose 82

8.3.15 sbomType 82

8.3.16 snippetFromFile 82

8.3.17 sourceInfo 83

8.4 Vocabularies 83

8.4.1 ContentIdentifierType 83

8.4.2 FileKindType 84

8.4.3 SbomType 84

8.4.4 SoftwarePurpose 85

9 Security 86

9.1 Profile information 86

9.1.1 Security profile 86

9.2 Classes 86

9.2.1 CvssV2VulnAssessmentRelationship 86

9.2.2 CvssV3VulnAssessmentRelationship 88

9.2.3 CvssV4VulnAssessmentRelationship 90

9.2.4 EpssVulnAssessmentRelationship 92

9.2.5 ExploitCatalogVulnAssessmentRelationship 94

9.2.6 SsvcVulnAssessmentRelationship 96

9.2.7 VexAffectedVulnAssessmentRelationship 97

9.2.8 VexFixedVulnAssessmentRelationship 99

9.2.9 VexNotAffectedVulnAssessmentRelationship 100

9.2.10 VexUnderInvestigationVulnAssessmentRelationship 102

9.2.11 VexVulnAssessmentRelationship 104

9.2.12 VulnAssessmentRelationship 105

9.2.13 Vulnerability 107

9.3 Properties 109

9.3.1 actionStatement 109

9.3.2 actionStatementTime 109

9.3.3 assessedElement 110

9.3.4 catalogType 110

9.3.5 decisionType 111

9.3.6 exploited 111

9.3.7 impactStatement 111

9.3.8 impactStatementTime 112

9.3.9 justificationType 112

9.3.10 locator 113

9.3.11 modifiedTime 113

9.3.12 percentile 113

9.3.13 probability 114

9.3.14 publishedTime 114

9.3.15 score 114

9.3.16 severity 115

9.3.17 statusNotes 115

9.3.18 vectorString 116

9.3.19 vexVersion 116

9.3.20 withdrawnTime 117

9.4 Vocabularies 117

9.4.1 CvssSeverityType 117

9.4.2 ExploitCatalogType 118

9.4.3 SsvcDecisionType 118

9.4.4 VexJustificationType 119

10 Licensing 119

10.1 Profile information 119

10.1.1 Licensing profile 119

11 SimpleLicensing 121

11.1 Profile information 121

11.1.1 SimpleLicensing profile 121

11.2 Classes 121

11.2.1 AnyLicenseInfo 121

11.2.2 LicenseExpression 122

11.2.3 SimpleLicensingText 123

11.3 Properties 124

11.3.1 customIdToUri 124

11.3.2 licenseExpression 125

11.3.3 licenseListVersion 125

11.3.4 licenseText 126

12 ExpandedLicensing 126

12.1 Profile information 126

12.1.1 ExpandedLicensing profile 126

12.2 Classes 127

12.2.1 ConjunctiveLicenseSet 127

12.2.2 CustomLicense 128

12.2.3 CustomLicenseAddition 129

12.2.4 DisjunctiveLicenseSet 130

12.2.5 ExtendableLicense 131

12.2.6 IndividualLicensingInfo 131

12.2.7 License 132

12.2.8 LicenseAddition 133

12.2.9 ListedLicense 135

12.2.10 ListedLicenseException 136

12.2.11 OrLaterOperator 137

12.2.12 WithAdditionOperator 138

12.3 Properties 139

12.3.1 additionText 139

12.3.2 deprecatedVersion 139

12.3.3 isDeprecatedAdditionId 140

12.3.4 isDeprecatedLicenseId 140

12.3.5 isFsfLibre 141

12.3.6 isOsiApproved 141

12.3.7 licenseXml 142

12.3.8 listVersionAdded 142

12.3.9 member 143

12.3.10 obsoletedBy 143

12.3.11 seeAlso 144

12.3.12 standardAdditionTemplate 144

12.3.13 standardLicenseHeader 145

12.3.14 standardLicenseTemplate 145

12.3.15 subjectAddition 145

12.3.16 subjectExtendableLicense 146

12.3.17 subjectLicense 146

12.4 Individuals 147

12.4.1 NoAssertionLicense 147

12.4.2 NoneLicense 147

13 Dataset 147

13.1 Profile information 147

13.1.1 Dataset profile 147

13.2 Classes 148

13.2.1 DatasetPackage 148

13.3 Properties 150

13.3.1 anonymizationMethodUsed 150

13.3.2 confidentialityLevel 150

13.3.3 dataCollectionProcess 151

13.3.4 dataPreprocessing 151

13.3.5 datasetAvailability 152

13.3.6 datasetNoise 152

13.3.7 datasetSize 152

13.3.8 datasetType 153

13.3.9 datasetUpdateMechanism 153

13.3.10 hasSensitivePersonalInformation 154

13.3.11 intendedUse 154

13.3.12 knownBias 154

13.3.13 sensor 155

13.4 Vocabularies 155

13.4.1 ConfidentialityLevelType 155

13.4.2 DatasetAvailabilityType 156

13.4.3 DatasetType 156

14 AI 157

14.1 Profile information 157

14.1.1 AI profile 157

14.1.2 Profile conformance 157

14.2 Classes 157

14.2.1 AIPackage 157

14.2.2 EnergyConsumption 160

14.2.3 EnergyConsumptionDescription 161

14.3 Properties 162

14.3.1 autonomyType 162

14.3.2 domain 162

14.3.3 energyConsumption 162

14.3.4 energyQuantity 163

14.3.5 energyUnit 163

14.3.6 finetuningEnergyConsumption 164

14.3.7 hyperparameter 164

14.3.8 inferenceEnergyConsumption 164

14.3.9 informationAboutApplication 165

14.3.10 informationAboutTraining 165

14.3.11 limitation 166

14.3.12 metric 166

14.3.13 metricDecisionThreshold 167

14.3.14 modelDataPreprocessing 167

14.3.15 modelExplainability 168

14.3.16 safetyRiskAssessment 168

14.3.17 standardCompliance 169

14.3.18 trainingEnergyConsumption 169

14.3.19 typeOfModel 169

14.3.20 useSensitivePersonalInformation 170

14.4 Vocabularies 170

14.4.1 EnergyUnitType 170

14.4.2 SafetyRiskAssessmentType 171

15 Build 171

15.1 Profile information 171

15.1.1 Build profile 171

15.2 Classes 172

15.2.1 Build 172

15.3 Properties 173

15.3.1 buildEndTime 173

15.3.2 buildId 174

15.3.3 buildStartTime 174

15.3.4 buildType 175

15.3.5 configSourceDigest 175

15.3.6 configSourceEntrypoint 176

15.3.7 configSourceUri 176

15.3.8 environment 177

15.3.9 parameter 177

16 Lite 178

16.1 Profile information 178

16.1.1 Lite profile 178

17 Extension 179

17.1 Profile information 179

17.1.1 Extension profile 179

17.2 Classes 179

17.2.1 CdxPropertiesExtension 179

17.2.2 CdxPropertyEntry 180

17.2.3 Extension 180

17.3 Properties 181

17.3.1 cdxPropName 181

17.3.2 cdxPropValue 182

17.3.3 cdxProperty 182

Annex A (informative) RDF model definition and diagrams 183

A.1 Model definition 183

A.2 Diagrams 183

A.2.1 Core profile 183

A.2.2 Software profile 184

A.2.3 Security profile 185

A.2.4 Licensing profile 186

A.2.5 Dataset profile 187

A.2.6 AI profile 188

A.2.7 Build profile 189

A.2.8 Extension profile 190

Annex B (normative) SPDX license expressions 191

B.1 Overview 191

B.2 Case sensitivity 192

B.3 Simple license expressions 192

B.4 Composite license expressions 192

B.4.1 Introduction 192

B.4.2 Disjunctive “OR” operator 192

B.4.3 Conjunctive “AND” operator 193

B.4.4 Additive “WITH” operator 193

B.4.5 Order of precedence and parentheses 193

B.5 Complete grammar 194

Annex C (normative) SPDX License List matching guidelines and templates 195

C.1 SPDX License List matching guidelines 195

C.2 How these guidelines are applied 195

C.2.1 Purpose 195

C.2.2 Guideline: official license headers 195

C.3 Substantive text 195

C.3.1 Purpose 195

C.3.2 Guideline: verbatim text 195

C.3.3 Guideline: no additional text 195

C.3.4 Guideline: replaceable text 195

C.3.5 Guideline: omittable text 196

C.4 Whitespace 196

C.4.1 Purpose 196

C.4.2 Guideline 196

C.5 Capitalization 196

C.5.1 Purpose 196

C.5.2 Guideline 196

C.6 Punctuation 197

C.6.1 Purpose 197

C.6.2 Guideline: punctuation 197

C.6.3 Guideline: hyphens, dashes 197

C.6.4 Guideline: quotes 197

C.7 Code comment indicators or separators 197

C.7.1 Purpose 197

C.7.2 Guideline: prefix 197

C.7.3 Guideline: repeated characters 197

C.8 Bullets and numbering 197

C.8.1 Purpose 197

C.8.2 Guideline 197

C.9 Varietal word spelling 198

C.9.1 Purpose 198

C.9.2 Guideline 198

C.10 Copyright symbol 198

C.10.1 Purpose 198

C.10.2 Guideline 198

C.11 Copyright notice 198

C.11.1 Purpose 198

C.11.2 Guideline 198

C.12 License name or title 198

C.12.1 Purpose 198

C.12.2 Guideline 199

C.13 Extraneous text at the end of a license 199

C.13.1 Purpose 199

C.13.2 Guideline 199

C.14 HTTP protocol 199

C.14.1 Purpose 199

C.14.2 Guideline 199

C.15 SPDX License List 199

C.15.1 Template access 199

C.15.2 License List XML format 199

C.15.3 Legacy Text Template format 199

Annex D (normative) SPDX Lite 201

D.1 Explanation of the Lite profile 201

D.2 Mandatory and recommended properties 201

D.2.1 /Core/SpdxDocument 201

D.2.2 /Software/Sbom 201

D.2.3 /Software/Package 202

D.2.4 /Core/Hash 202

D.2.5 /SimpleLicensing/LicenseExpression 203

D.2.6 /SimpleLicensing/SimpleLicensingText 203

D.2.7 /Core/Agent (createdBy, suppliedBy, originatedBy) 203

D.2.8 /Core/CreationInfo 203

D.2.9 /Core/ExternalIdentifier 203

D.2.10 /Core/NameSpaceMap 204

D.2.11 /Core/Relationship 204

Annex E (normative) Package URL specification v1 205

E.1 Introduction 205

E.2 Syntax definition 205

E.3 Character encoding 206

E.4 Rules for each component 206

E.4.1 Rules for scheme 206

E.4.2 Rules for type 207

E.4.3 Rules for namespace 207

E.4.4 Rules for name 207

E.4.5 Rules for version 207

E.4.6 Rules for qualifiers 207

E.4.7 Rules for subpath 208

E.5 Known types 208

E.6 Known qualifiers key/value pairs 208

E.7 How to produce and consume purl data 208

E.7.1 How to build purl string from its components 208

E.7.2 How to parse a purl string to its components 210

E.8 Examples 211

E.9 Original license 211

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of document should be noted (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent declarations received (see patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by The Linux Foundation and its Contributors under the SPDX Working Group (as SPDX® Specification v3.0) and drafted in accordance with its editorial rules. Its preparation and publication has been made in coordination with related efforts with the Object Management Group (OMG). It was adopted, under the JTC 1 PAS (“Publicly Available Specification”) procedure, by Joint Technical Committee ISO/IEC JTC 1, Information technology.

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-committees.

This specification replaces ISO/IEC 5962:2021, which described SPDX version 2.2.1.

Introduction

Companies and organizations (collectively “Organizations”) are widely using and reusing open source and other software packages. Accurate identification of software is key for many supply chain processes. Vulnerability remediation starts with knowing the details of which version of software is in use on a system. Compliance with the associated licenses requires a set of analysis activities and due diligence that each Organization performs independently, which may include a manual and/or automated scan of software and identification of associated licenses followed by manual verification.

Software development teams across the globe use the same open source packages, but little infrastructure exists to facilitate collaboration on the analysis or share the results of these analysis activities. As a result, many groups are performing the same work leading to duplicated efforts and redundant information. With this document, the SPDX workgroup, a combined effort of the Linux Foundation SPDX group and the OMG/CISQ Tool-to-Tool effort, has created a data exchange format so that information about software packages and related content may be collected and shared in a common format with the goal of saving time and improving data accuracy.

The merged activities of the two groups slid together the beginning weeks of 2021 with activities generally moving forward but occasionally stalling while the larger group worked through issues that one or the other hadn’t discussed or had a different opinion about. Eventually, after releasing SPDX 2.3 in August of 2022 with updates that brought some of the concepts and capabilities slated for SPDX 3.0 to the community in preparation of the shift that SPDX 3.0 represents, the first release candidate of SPDX 3.0 was released in May of 2023. Within the SPDX community, which is both a standards creation organization as well as a community of open source developers, a release candidate offers an opportunity for implementors of SPDX, both new and old, to review the work and determine whether there were parts that were unclear or that would be extremely burdensome to implement.

Based on the comments and change requests from the initial candidate release several areas of the model were revised and reworked, resulting in a release candidate 2 of SPDX 3.0 in February of 2024. That release candidate gave tool creators and those who maintain the support libraries for working with SPDX time to start revising their projects in advance of the final version of the SPDX 3.0 specification. For those not following the inner workings, debates, and discussion of the combined 3T-SBOM and SPDX 3.0 working group for the last 3 years there has been a dramatic change in the SPDX model as it goes from SPDX 2.3 to SPDX 3.0, shifting the SPDX name from Software Package Data Exchange to System Package Data Exchange and expanding the scope of items it can now convey in a bill of materials from software, security, and licensing to many additional aspects like data sets, AI models, and build information.

Since the release of 3.0.0, the groups have gathered feedback on the level of documentation and minor errors in the model which have been addressed in the 3.0.1 release.

Information Technology — SPDX® Specification V3.0

The System Package Data Exchange™ (SPDX®) specification defines an open standard for communicating bill of materials (BOM) information for different topic areas.

SPDX defines an underlying data model as well as multiple serialization formats to encode that data model.

SPDX metadata includes details about creation and distribution, including the following:

• software composition, for collections of software (Packages), individual Files, and portions of files (Snippets)
• software build information
• artificial intelligence (AI) models
• datasets
• creator, supplier and distributor identity information
• provenance and integrity
• licenses and copyrights, including a curated list of licenses and exceptions
• security vulnerabilities, defects, and other quality data
• relationships between system elements
• software usage and lifecycle
• mechanisms to enable annotating SPDX elements and linking between multiple SPDX Documents

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

Apache Maven, Apache Software Foundation, https://maven.apache.org/.

Bower API, https://bower.io/docs/api/#install.

Common Platform Enumeration (CPE) – Specification 2.2, The MITRE Corporation, https://cpe.mitre.org/files/cpe-specification_2.2.pdf.

Common Platform Enumeration (CPE): Naming Specification Version 2.3, NIST IR 7695, NIST, https://csrc.nist.gov/pubs/ir/7695/final.

Common Vulnerability Scoring System v3.0 (CVSS v3.0): Specification Document, Forum of Incident Response and Security Teams, Inc (FIRST), https://www.first.org/cvss/v3.0/specification-document.

Common Vulnerability Scoring System v3.1 (CVSS v3.1): Specification Document, Forum of Incident Response and Security Teams, Inc (FIRST), https://www.first.org/cvss/v3.1/specification-document.

Common Vulnerability Scoring System version 4.0 (CVSS v4.0): Specification Document, Forum of Incident Response and Security Teams, Inc (FIRST), https://www.first.org/cvss/v4.0/specification-document.

CVSS 3.0 schema, Forum of Incident Response and Security Teams, Inc (FIRST), https://www.first.org/cvss/cvss-v3.0.json.

CVSS 3.1 schema, Forum of Incident Response and Security Teams, Inc (FIRST), https://www.first.org/cvss/cvss-v3.1.json.

CVSS 4.0 schema, Forum of Incident Response and Security Teams, Inc (FIRST), https://www.first.org/cvss/cvss-v4.0.json.

EU general risk assessment methodology, European Commission, https://ec.europa.eu/docsroom/documents/17107.

npm-package.json, npm Inc., https://docs.npmjs.com/files/package.json.

NuGet documentation, Microsoft, https://docs.nuget.org/.

POSIX.1-2017 The Open Group Base Specifications Issue 7, 2018 edition, IEEE/Open Group, https://pubs.opengroup.org/onlinepubs/9699919799/.

Resource Description Framework (RDF), 2014-02-25, W3C, http://www.w3.org/standards/techs/rdf.

RFC 1319, The MD2 Message-Digest Algorithm, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc1319/.

RFC 1320, The MD4 Message-Digest Algorithm, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc1320/.

RFC 1321, The MD5 Message-Digest Algorithm, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc1321/.

RFC 1950, ZLIB Compressed Data Format Specification version 3.3, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc1950/.

RFC 2046, Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc2046/.

RFC 3174, US Secure Hash Algorithm 1 (SHA1), Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc3174/.

RFC 3696, Application Techniques for Checking and Transformation of Names, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc3696/.

RFC 3874, A 224-bit One-way Hash Function: SHA-224, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc3874/.

RFC 3986, Uniform Resource Identifier (URI): Generic Syntax, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc3986/.

RFC 5234, Augmented BNF for Syntax Specifications: ABNF, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc5234/.

RFC 6234, US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF), Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc6234/.

RFC 7405, Case-Sensitive String Support in ABNF, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc7405/.

RFC 7693, The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC), Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc7693/.

RFC 8259, The JavaScript Object Notation (JSON) Data Interchange Format, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc8259/.

RFC 9393, Concise Software Identification Tags, Internet Engineering Task Force, https://datatracker.ietf.org/doc/rfc9393/.

Semantic Versioning 2.0.0, Tom Preston-Werner and SemVer contributors, https://semver.org.

SLSA Provenance v0.2, The Linux Foundation, https://slsa.dev/spec/v0.2/provenance.

SoftWare Heritage persistent IDentifiers (SWHIDs), in International Standard ISO/IEC 18670 Information technology — SoftWare Hash IDentifier (SWHID) Specification V1.2https://www.iso.org/standard/89985.html, also available at https://www.swhid.org/swhid-specification/v1.2/

SPDX and RDF Ontology, http://spdx.org/rdf/ontology/spdx-3-0

SPDX License List, The Linux Foundation, https://spdx.org/licenses/

SPDX License Exceptions, The Linux Foundation, https://spdx.org/licenses/exceptions-index.html

Stakeholder-Specific Vulnerability Categorization Guide, CISA, https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc.

The EPSS Model, Forum of Incident Response and Security Teams, Inc (FIRST), https://www.first.org/epss/model.

Types of Software Bill of Material (SBOM) Documents, CISA, https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf.

The following symbols and abbreviations are used throughout this document:

For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

• ISO Online browsing platform: available at https://www.iso.org/obp
• IEC Electropedia: available at http://www.electropedia.org/

4.1
profile
a scope of usage for SPDX targeting support for particular use cases and scenarios (e.g., software, licensing, security, etc.) that identifies which particular SPDX namespaces, classes, and properties it leverages, along with any custom constraints unique to its use

This document contains more than a few cardinality assertions, each of which indicates the minimum and maximum number of times a property may appear. These are represented by using “minCount” and “maxCount” respectively. The absolute minimum number of occurrences is zero (0), while for an unbounded maximum number of occurrences a star (*) is being used.

Here are some examples:

• minCount: 1
• maxCount: *
• Cardinality: 0..1
• Cardinality: 0..*
• Cardinality: 1..1
• Cardinality: 1..*

Each of these assertions can easily be understood as to whether a feature is required, and if so, how many occurrences are required; also, whether a feature is permitted, and if so, in what number. As this is the format long familiar to the SPDX community, it has been preserved in this document.

Profile is the term for a compliance point within the SPDX community across The Linux Foundation and OMG. This document defines the following nine compliance points, defined as “profiles”:

• Core profile
• Software profile
• Security profile
• Licensing profile
• Dataset profile
• AI profile
• Build profile
• Lite profile
• Extension profile

The Core profile is mandatory. All others are optional.

The Core profile includes the definitions of classes properties and vocabularies usable by all SPDX profiles when producing or consuming SPDX content. Although the classes, properties and vocabularies are somewhat extensive, the required fields are rather minimal to allow maximum flexibility while meeting minimum SBOM requirements. Software that conforms to the SPDX specification at the Core profile compliance point shall be able to import and export serialized documents that conform with one of the defined SPDX serialization formats.

Conformance to the Core profile compliance point is mandatory for all other SPDX profiles.

This compliance point, in combination with the Software profile compliance point, provides a baseline of functionality that facilitates interchange of the bills of materials information produced by tools supporting SPDX.

The Software profile includes the definitions of classes, properties and vocabularies for referring to and conveying information about software and is usable by all SPDX profiles when producing or consuming SPDX content.

Software that conforms to the SPDX specification at the Software profile compliance point shall be able to import and export serialized documents that conform with one of the SPDX serialization formats defined SPDX serialization formats.

Conformance to the Software profile compliance point does not entail support for the Licensing, Dataset, AI, Build, Lite, or Extension profiles of the SPDX.

This compliance point, in combination with the Core profile compliance point, provides a baseline of functionality that facilitates interchange of the bills of materials information produced by tools supporting SPDX.

The Security profile captures security-related information when producing or consuming SPDX content.

Software that conforms to the SPDX specification at the security profile compliance point shall be able to import and export serialized documents that conform with one of the SPDX serialization formats defined SPDX serialization formats, including the properties and relationships specified in the security profile, which are in support of exchanging information about software vulnerabilities that may exist, the severity of those vulnerabilities, and a mechanism to express how a vulnerability may affect a specific software element including if a fix is available.

Conformance to the Security profile compliance point does not entail support for the Licensing, Dataset, AI, Build, Lite, or Extension profiles of the SPDX.

This compliance point facilitates interchange of the security information produced by tools supporting SPDX.

The Licensing profile includes capturing details relevant to software licensing and intellectual property information when producing or consuming SPDX content. Specifically, software that conforms to the SPDX specification at the Licensing profile compliance point shall be able to import and export serialized documents that conform with one of the SPDX serialization formats defined SPDX serialization formats, including the classes and fields that comprise the SPDX License Expression syntax and that relate to the SPDX License List.

There are two associated profiles, the SimpleLicensing profile and the ExpandedLicensing profile. Both allow expression of the same information, albeit in different ways.

Conformance to the Licensing profile compliance point does not entail support for the Software, Security, Dataset, AI, Build, Lite, or Extension profiles of the SPDX.

This compliance point facilitates interchange of the licensing documents expressing which licenses and copyright notices are determined by persons or automated tooling to apply to distributions of software that are produced by tools supporting SPDX.

The Dataset profile captures the relevant information about the datasets used in an AI system or other applications when producing or consuming SPDX content.

Software that conforms to the SPDX specification at the Dataset profile compliance point shall be able to import and export serialized documents that conform with one of the SPDX serialization formats defined SPDX serialization formats, including details such as dataset names, versions, sources, associated metadata, licensing information, and any other relevant attributes. The Dataset profile can covey a description or summary of a dataset, including metadata, characteristics, and statistical information about the data. The Dataset profile can convey insights into the structure, format, content, and properties of a dataset, helping users understand and analyze the data more effectively.

Conformance to the Dataset profile compliance point does not entail support for the Software, Licensing, Security, AI, Build, Lite, or Extension profiles of the SPDX.

This compliance point facilitates interchange of the information about datasets produced by tools supporting SPDX.

The AI profile captures an inventory list of software components and dependencies associated with an AI system when producing or consuming SPDX content.

Software that conforms to the SPDX specification at the AI profile compliance point shall be able to import and export serialized documents that conform with one of the SPDX serialization formats defined SPDX serialization formats, including the information about software components and dependencies associated with artificial intelligence and machine learning (AI/ML) models and systems. This inventory includes the software frameworks, libraries, and other components used to build or deploy the AI system, along with relevant information about their versions, licenses, and useful security references including ethical and security information.

Conformance to the AI profile compliance point does not entail support for the Software, Licensing, Security, Dataset, Build, Lite, or Extension profiles of the SPDX.

This compliance point facilitates interchange of the AI model related information produced by tools supporting SPDX.

The Build profile captures build-related information when producing or consuming SPDX content.

Software that conforms to the SPDX specification at the Build profile compliance point shall be able to import and export serialized documents that conform with one of the SPDX serialization formats defined SPDX serialization formats, including associated definitions to help express how software is generated and transformed. This includes encoding the inputs, outputs, procedures/instructions, environments and actors from the build process along with the associated evidence.

Conformance to the Build profile compliance point does not entail support for the Software, Licensing, Security, Dataset, AI, Lite, or Extension profiles of the SPDX.

This compliance point facilitates interchange of the build information produced by tools supporting SPDX.

The Lite profile captures the minimum set of information required for license compliance in the software supply chain for producing or consuming SPDX content.

Software that conforms to the SPDX specification at the Lite profile compliance point shall be able to import and export serialized documents that conform with one of the SPDX serialization formats defined SPDX serialization formats, including creation of the SBOM, package lists with licensing and other related items, and their relationships.

Conformance to the Lite profile compliance point does not entail support for the Software, Licensing, Security, Dataset, AI, Build, or Extension profiles of the SPDX.

This compliance point facilitates interchange of minimal licensing information when produced by tools supporting SPDX.

The Extension profile captures extended tailored information when producing or consuming non-standard SPDX content in three ways:

• Support profile-based extended characterization of Elements. Enables specification and expression of Element characterization extensions within any profile and namespace of SPDX without requiring changes to other profiles or namespaces and without requiring local subclassing of remote classes (which could inhibit ecosystem interoperability in some cases).
• Support extension of SPDX by adopting individuals or communities with Element characterization details uniquely specialized to their particular context. Enables adopting individuals or communities to utilize SPDX expressive capabilities along with expressing more arcane Element characterization details specific to them and not appropriate for standardization across SPDX.
• Support structured capture of expressive solutions for gaps in SPDX coverage from real-world use. Enables adopting individuals or communities to express Element characterization details they require that are not currently defined in SPDX but likely should be. Enables a practical pipeline that identifies gaps in SPDX that should be filled, expresses solutions to those gaps in a way that allows the identifying adopters to use the extended solutions with SPDX and does not conflict with current SPDX, can be clearly detected among the SPDX content exchange ecosystem, provides a clear and structured definition of gap solution that can be used as submission for revision to the SPDX standard.

Software that conforms to the SPDX specification at the Extension profile compliance point shall be able to import and export serialized documents that conform with one of the SPDX serialization formats defined SPDX serialization formats, including the abstract Extension class serving as the base for all defined Extension subclasses.

Conformance to the Extension profile compliance point does not entail support for the Licensing, Security, Dataset, AI, Build, or profiles of the SPDX but is expected to be used in combination with the other profiles to extend them.

This compliance point facilitates interchange of extended information that goes beyond the standard SPDX produced by tools supporting SPDX and is used between cooperating parties that understand the form of the extension and can produce and consume its non-standard content.

To be designated an SPDX document, a file shall comply with the requirements of the SPDX Trademark License, as stated in the SPDX Trademark Page.

The official copyright notice that shall be used with any verbatim reproduction and/or distribution of this SPDX Specification 3.0 is:

“Official SPDX® Specification 3.0 Copyright © 2010–2025 Linux Foundation and its Contributors. Licensed under the Community Specification License 1.0. All other rights are expressly reserved.”

The official copyright notice that shall be used with any non-verbatim reproduction and/or distribution of this SPDX Specification 3.0, including without limitation any partial use or combining this SPDX Specification with another work, is:

“This is not an official SPDX Specification. Portions herein have been reproduced from SPDX® Specification 3.0 found at spdx.dev. These portions are Copyright © 2010–2025 Linux Foundation and its Contributors, and are licensed under the Community Specification License 1.0 by the Linux Foundation and its Contributors. All other rights are expressly reserved by Linux Foundation and its Contributors.”

This document defines the data model of the SPDX standard, describing every piece of information about systems with software components. The data model is based on the Resource Description Framework (RDF) extensible knowledge representation data model, which provides a flexible and extensible way to represent and exchange information.

The data may be serialized in a variety of formats for storage and transmission.

Since the data model is based on RDF, any SPDX data can be serialized in any of the multiple RDF serialization formats, including but not limited to:

• JSON-LD format as defined in JSON-LD 1.1;
• Turtle (Terse RDF Triple Language) format as defined in RDF 1.1 Turtle;
• N-Triples format as defined in RDF 1.1 N-Triples; and
• RDF/XML format as defined in RDF 1.1 XML Syntax.

The SPDX specification is accompanied by a JSON-LD context definition file that can be used to serialize SPDX in a much simpler and more human-readable JSON-LD format.

Canonical serialization is a single, consistent, normalized, deterministic, and reproducible form.

Such a canonical form normalizes things like ordering and formatting.

The content of the canonical serialization is exactly the same as the JSON-LD serialization of RDF data, just represented in a consistent way.

Canonical serialization is in JSON format, as defined in RFC 8259 (IETF STD 90), with the following additional characteristics:

• No line breaks
• Key names shall be wrapped in double quotes
• No whitespace outside of strings
• true, false and null: the literal names shall be lowercase; no other literal names are allowed
• Integers: represented in base 10 using decimal digits. This designates an integer component that may be prefixed with an optional minus sign. Leading zeros are not allowed.
• Strings: UTF-8 representation without specific normalization. A string begins and ends with quotation marks (%x22). Any Unicode characters may be placed within the quotation marks, except for the two characters that shall be escaped by a reverse solidus: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F).
• Arrays: An array structure is represented as square brackets surrounding zero or more items. Items are separated by commas.
• Objects: An object structure is represented as a pair of curly brackets surrounding zero or more name/value pairs (or members). A name is a string containing only ASCII characters (0x21-0x7F). The names within an object shall be unique. A single colon comes after each name, separating the name from the value. A single comma separates a value from a following name. The name/value pairs are ordered by name.

A collection of elements may be serialized in multiple formats.

An SpdxDocument element represents a collection of elements across all serialization data formats within the model.

The actual serialized bytes are represented by an Artifact element within the model.

A Relationship of type serializedInArtifact links an SpdxDocument to one or more serialized forms of itself.

When serializing a physical SpdxDocument, any property of the logical element that can be natively represented within the chosen serialization format (e.g., @context prefixes in JSON-LD instead of the namespaceMap) may utilize these native mechanisms. All remaining properties shall be serialized within the SpdxDocument element itself.

A serialization shall not contain more than one SpdxDocument.

A given instance of serialization shall not define more than one SpdxDocument element.

The SPDX 3 JSON format is a strict subset of JSON-LD. It requires data to be serialized according to the defined serialization specification and validated against the SPDX 3 JSON Schema. It may be parsed – not serialized – using standard JSON-LD libraries.

JSON-LD contexts allow JSON documents to use simple, human-readable, locally defined terms while ensuring data interoperability across different systems.

The SPDX global JSON-LD context file shall be used universally for all SPDX documents in JSON-LD format that adhere to a specific SPDX version.

SPDX global JSON-LD context file is available at: https://spdx.org/rdf/3.0/spdx-context.jsonld

All SPDX documents in JSON-LD format shall include a reference to the SPDX global context file at the top level. This reference is achieved using the following JSON construct:

{ "@context": "https://spdx.org/rdf/3.0/spdx-context.jsonld" }

The SPDX context file defines aliases for specific JSON-LD properties to improve compatibility with the SPDX model. These aliases are:

• spdxId: An alias for the @id property.
• type: An alias for the @type property.

Additional namespace mappings may be defined within a separate object within the context.

An SPDX serialization in JSON-LD format is considered conformant to the SPDX specification if it adheres to the following two validation criteria:

• Structural validation: The JSON-LD document shall structurally validate against the SPDX JSON Schema. This schema defines the expected structure of the JSON-LD document, including the required elements, data types, and permissible values.
• Semantic validation: The JSON-LD document shall successfully validate against the SPDX OWL ontology. This ontology defines the expected relationships and constraints between SPDX elements. The SPDX OWL ontology also incorporates SHACL shape restrictions to further specify these constraints.

The SPDX 3 JSON Schema is available at: https://spdx.org/schema/3.0/spdx-json-schema.json

The SPDX 3 OWL ontology is available at: https://spdx.org/rdf/3.0/spdx-model.ttl

Summary

The basis for all SPDX profiles.

Description

The Core namespace defines foundational concepts serving as the basis for all SPDX 3.0 profiles.

Metadata

https://spdx.org/rdf/3.0/terms/Core

Summary

Agent represents anything with the potential to act on a system.

Description

The Agent class represents anything that has the potential to act on a system.

This could be a person, organization, software agent, etc.

This is not to be confused with tools that are used to perform tasks.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Agent

Class hierarchy

/Core/Element
      /Core/Agent

All properties

Summary

An assertion made in relation to one or more elements.

Description

An Annotation is an assertion made in relation to one or more elements.

The contentType property describes the format of the statement property.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Annotation

Class hierarchy

/Core/Element
      /Core/Annotation

Properties

All properties

Summary

A distinct article or unit within the digital domain.

Description

An artifact is a distinct article or unit within the digital domain, such as an electronic file, a software package, a device or an element of data.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Artifact

Class hierarchy

/Core/Element
      /Core/Artifact

Properties

All properties

Summary

A container for a grouping of SPDX 3.0 content characterizing details (provenance, composition, licensing, etc.) about a product.

Description

A Bill of Materials (BOM) is a container for a grouping of SPDX 3.0 content characterizing details about a product.

This could include details of the content and composition of the product, provenance details of the product and/or its composition, licensing information, known quality or security issues, etc.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Bom

Class hierarchy

/Core/Element
      /Core/ElementCollection
            /Core/Bundle
                  /Core/Bom

All properties

Summary

A collection of Elements that have a shared context.

Description

A bundle is a collection of Elements that have a shared context.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Bundle

Class hierarchy

/Core/Element
      /Core/ElementCollection
            /Core/Bundle

Properties

All properties

Summary

Provides information about the creation of the Element.

Description

The CreationInfo provides information about who created the Element, and when and how it was created.

The dateTime created is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.

Metadata

https://spdx.org/rdf/3.0/terms/Core/CreationInfo

Class hierarchy

/Core/CreationInfo

Properties

All properties

Summary

A key with an associated value.

Description

The class used for implementing a generic string mapping (also known as associative array, dictionary, or hash map) in SPDX.

Each DictionaryEntry contains a key-value pair which maps the key to its associated value.

To implement a dictionary, this class is to be used in a collection with unique keys.

Metadata

https://spdx.org/rdf/3.0/terms/Core/DictionaryEntry

Class hierarchy

/Core/DictionaryEntry

Properties

All properties

Summary

Base domain class from which all other SPDX 3.0 domain classes derive.

Description

An Element is a representation of a fundamental concept either directly inherent to the Bill of Materials (BOM) domain or indirectly related to the BOM domain and necessary for contextually characterizing BOM concepts and relationships. Within SPDX 3.0 structure this is the base class acting as a consistent, unifying, and interoperable foundation for all explicit and inter-relatable content objects.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Element

Class hierarchy

/Core/Element

Properties

All properties

Summary

A collection of Elements, not necessarily with unifying context.

Description

An ElementCollection is a collection of Elements, not necessarily with unifying context.

Note that all ElementCollections shall conform to the Core profile even if the Core profile is not specified in the profileConformance property.

If the profileConformance property is not provided, “core” is to be assumed as the default.

Constraints

• If the ElementCollection has at least 1 element, it shall also have at least 1 rootElement.
• The element shall not be of type SpdxDocument.
• The rootElement shall not be of type SpdxDocument.

Metadata

https://spdx.org/rdf/3.0/terms/Core/ElementCollection

Class hierarchy

/Core/Element
      /Core/ElementCollection

Properties

All properties

Summary

A reference to a resource identifier defined outside the scope of SPDX 3.0 content that uniquely identifies an Element.

Description

An ExternalIdentifier is a reference to a resource outside the scope of SPDX 3.0 content that provides a unique key within an established domain that can uniquely identify an Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/ExternalIdentifier

• • • 1. 9.2.10.4 Class hierarchy

/Core/ExternalIdentifier

• • • 1. 9.2.10.5 Properties

• • • 1. 9.2.10.6 All properties

Summary

A map of Element identifiers that are used within an SpdxDocument but defined external to that SpdxDocument.

Description

An external map is a map of Element identifiers that are used within an SpdxDocument but defined external to that SpdxDocument. The external map provides details about the externally defined Element such as its provenance, where to retrieve it, and how to verify its integrity.

Metadata

https://spdx.org/rdf/3.0/terms/Core/ExternalMap

Class hierarchy

/Core/ExternalMap

Properties

All properties

Summary

A reference to a resource outside the scope of SPDX 3.0 content related to an Element.

Description

An External Reference points to a general resource outside the scope of the SPDX 3.0 content that provides additional context, characteristics or related information about an Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/ExternalRef

Class hierarchy

/Core/ExternalRef

Properties

All properties

Summary

A mathematically calculated representation of a grouping of data.

Description

A hash is a grouping of characteristics unique to the result of applying a mathematical algorithm that maps data of arbitrary size to a bit string (the hash) and is a one-way function, that is, a function which is practically infeasible to invert.

This is commonly used for integrity checking of data.

Please note that different profiles may also provide additional methods for verifying the integrity of specific subclasses of Elements.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Hash

Class hierarchy

/Core/IntegrityMethod
      /Core/Hash

Properties

All properties

Summary

A concrete subclass of Element used by Individuals in the Core profile.

Description

Individuals, such as NoneElement and NoAssertionElement, need to reference a concrete subclass of Element.

This class provides the type used by the individuals defined in the Core profile.

Metadata

https://spdx.org/rdf/3.0/terms/Core/IndividualElement

Class hierarchy

/Core/Element
      /Core/IndividualElement

All properties

Summary

Provides an independently reproducible mechanism that permits verification of a specific Element.

Description

An IntegrityMethod provides an independently reproducible mechanism that permits verification of a specific Element that correlates to the data in this SPDX document. This identifier enables a recipient to determine if anything in the original Element has been changed and eliminates confusion over which version or modification of a specific Element is referenced.

Please note that different profiles may also provide additional methods for verifying the integrity of specific subclasses of Elements.

Metadata

https://spdx.org/rdf/3.0/terms/Core/IntegrityMethod

Class hierarchy

/Core/IntegrityMethod

Properties

All properties

Summary

Provide context for a relationship that occurs in the lifecycle.

Description

Certain relationships are sensitive to where they occur in the lifecycle. This parameter lets us avoid a proliferation of relationships, by parameterizing this context information for a relationship.

Metadata

https://spdx.org/rdf/3.0/terms/Core/LifecycleScopedRelationship

Class hierarchy

/Core/Element
      /Core/Relationship
            /Core/LifecycleScopedRelationship

Properties

All properties

Summary

A mapping between prefixes and namespace partial URIs.

Description

A namespace map allows the creator of a collection of serializable Elements to suggest shorter identifiers (“prefixes”) for specific namespace portions of Element IDs. This map is used in SPDX content serialization to provide a more human-readable and smaller serialized representation of the Elements.

For details of how NamespaceMap content is to be serialized refer to Clause 6 and the various serialization format-specific files within the spdx-3-model repository.

Namespace maps support a variety of relevant use cases such as:

1. An SPDX content producer wishing to provide clarity of their serialization of an SPDX 2.X simple style collection where all content is newly minted and a single prefix-namespace is used. The consumer of SPDX content wishes to preserve the name space mapping provided by such a producer.

• In this case, the consumer would record the namespace map prefixes in the NamespaceMap such that subsequent serializations could reproduce the prefixes / namespaces in the native serialization format.

1. An SPDX content producer wishing to maintain consistent prefix use and understanding across multiple different serialization formats of the produced content.

• For example, an SBOM producer wishes to share/publish the SBOM as JSON-LD and XML. The producer can specify the preferred prefix mappings in the native serialization format using information from a single NamespaceMap accessible local to the producer.

1. An SPDX content consumer/producer wishing to maintain consistent prefix use while round tripping from SPDX content received, deserialized, modified/extended in some way, and then reserialized in the same serialization form.

• In this case the prefix-namespace mappings utilized in the content are transformed from the original native namespace/prefix into the in memory NamespaceMap then transformed from the NamespaceMap back into the resultant serialization native namespace / prefix format.

Metadata

https://spdx.org/rdf/3.0/terms/Core/NamespaceMap

Class hierarchy

/Core/NamespaceMap

Properties

All properties

Summary

A group of people who work together in an organized way for a shared purpose.

Description

An Organization is a group of people who work together in an organized way for a shared purpose.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Organization

Class hierarchy

/Core/Element
      /Core/Agent
            /Core/Organization

All properties

Summary

An SPDX version 2.X compatible verification method for software packages.

Description

This verification method is provided for compatibility with SPDX 2.X.

Use of this verification code method is discouraged except for scenarios where the contentIdentifier property on Artifact cannot be used.

This verification method provides an independently reproducible mechanism identifying specific contents of a package based on the actual files (except the SPDX document itself, if it is included in the package) that make up each package and that correlates to the data in this SPDX document.

This identifier enables a recipient to determine if any file in the original package (that the analysis was done on) has been changed and permits inclusion of an SPDX document as part of a package.

Algorithm:

templist = ""

for all files in the package {
if file is a packageVerificationCodeExcludedFile
skip it /* exclude SPDX analysis file */
else
append "algorithm(file)/n" to templist
}

sort templist in ascending order by value

/* remove separators from ordered sequence */
valueslist = remove "/n"s from templist

if valueslist is empty
hashValue = 0
else
hashValue = algorithm(valueslist)

where algorithm(string) applies a hash algorithm on a string and returns the result in lowercase hexadecimal digits.

Required sort order: ‘0’, ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ‘6’, ‘7’, ‘8’, ‘9’, ‘a’, ‘b’, ‘c’, ‘d’, ‘e’, ‘f’ (ASCII order)

Metadata

https://spdx.org/rdf/3.0/terms/Core/PackageVerificationCode

Class hierarchy

/Core/IntegrityMethod
      /Core/PackageVerificationCode

Properties

All properties

Summary

An individual human being.

Description

A Person is an individual human being.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Person

Class hierarchy

/Core/Element
      /Core/Agent
            /Core/Person

All properties

Summary

A tuple of two positive integers that define a range.

Description

PositiveIntegerRange is a tuple of two positive integers that define a range. “beginIntegerRange” shall be less than or equal to “endIntegerRange”.

Metadata

https://spdx.org/rdf/3.0/terms/Core/PositiveIntegerRange

Class hierarchy

/Core/PositiveIntegerRange

Properties

All properties

Summary

Describes a relationship between one or more elements.

Description

A Relationship is a grouping of characteristics unique to an assertion that one Element is related to one or more other Elements in some way.

To explicitly assert that no such relationships exist, the to property shall contain the NoneElement individual and no other elements.

A relationship that contains NoneElement and additional elements in the to property is not valid.

To explicitly assert that no assertions are being made regarding the existence of such relationships, the to property shall contain the NoAssertionElement individual.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Relationship

Class hierarchy

/Core/Element
      /Core/Relationship

Properties

All properties

Summary

A software agent.

Description

A SoftwareAgent is a software program that is given the authority (similar to a user’s authority) to act on a system.

Metadata

https://spdx.org/rdf/3.0/terms/Core/SoftwareAgent

Class hierarchy

/Core/Element
      /Core/Agent
            /Core/SoftwareAgent

All properties

Summary

A collection of SPDX Elements that could potentially be serialized.

Description

The SpdxDocument provides a convenient way to express information about collections of SPDX Elements that could potentially be serialized as complete units (e.g., all in-scope SPDX data within a single JSON-LD file).

SpdxDocument is independent of any particular serialization format or instance.

Information we wish to preserve about a specific instance of serialization of this SPDX content is NOT expressed using the SpdxDocument but rather using an associated Artifact representing a particular instance of SPDX data physical serialization.

Any instance of serialization of SPDX data shall not contain more than one SpdxDocument element definition.

Metadata

https://spdx.org/rdf/3.0/terms/Core/SpdxDocument

Class hierarchy

/Core/Element
      /Core/ElementCollection
            /Core/SpdxDocument

Properties

All properties

Summary

An element of hardware and/or software utilized to carry out a particular function.

Description

A Tool is an element of hardware and/or software utilized to carry out a particular function.

Metadata

https://spdx.org/rdf/3.0/terms/Core/Tool

Class hierarchy

/Core/Element
      /Core/Tool

All properties

Summary

Specifies the algorithm used for calculating the hash value.

Description

The algorithm used for calculating the hash value.

Metadata

https://spdx.org/rdf/3.0/terms/Core/algorithm

Referenced

• /Core/Hash
• /Core/PackageVerificationCode

Summary

Describes the type of annotation.

Description

An annotationType describes the type of an annotation.

Metadata

https://spdx.org/rdf/3.0/terms/Core/annotationType

Referenced

• /Core/Annotation

Summary

Defines the beginning of a range.

Description

beginIntegerRange is a positive integer that defines the beginning of a range.

Metadata

https://spdx.org/rdf/3.0/terms/Core/beginIntegerRange

Referenced

• /Core/PositiveIntegerRange

Summary

Specifies the time an artifact was built.

Description

A builtTime specifies the time an artifact was built.

Metadata

https://spdx.org/rdf/3.0/terms/Core/builtTime

Referenced

• /Core/Artifact

Summary

Provide consumers with comments by the creator of the Element about the Element.

Description

A comment is an optional field for creators of the Element to provide comments to the readers/reviewers of the document.

Metadata

https://spdx.org/rdf/3.0/terms/Core/comment

Referenced

• /Core/CreationInfo
• /Core/Element
• /Core/ExternalIdentifier
• /Core/ExternalRef
• /Core/IntegrityMethod

Summary

Provides information about the completeness of relationships.

Description

Completeness gives information about whether the provided relationships are complete, known to be incomplete or if no assertion is made either way.

Metadata

https://spdx.org/rdf/3.0/terms/Core/completeness

Referenced

• /Core/Relationship

Summary

Provides information about the content type of an Element or a property.

Description

This field is a reasonable estimation of the content type of the Element or the property, from a creator perspective.

Content type is intrinsic to the Element or the property, independent of how it is being used.

Metadata

https://spdx.org/rdf/3.0/terms/Core/contentType

Referenced

• /Core/Annotation
• /Core/ExternalRef
• /Software/File

Summary

Gives information about the circumstances or unifying properties that Elements of the bundle have been assembled under.

Description

A context gives information about the circumstances or unifying properties that Elements of the bundle have been assembled under.

Metadata

https://spdx.org/rdf/3.0/terms/Core/context

Referenced

• /Core/Bundle

Summary

Identifies when the Element was originally created.

Description

Created is a date that identifies when the Element was originally created.

The time stamp can serve as an indication as to whether the analysis needs to be updated.

This is often the date of last change (e.g., a git commit date), not the date when the SPDX data was created, as doing so supports reproducible builds.

Metadata

https://spdx.org/rdf/3.0/terms/Core/created

Referenced

• /Core/CreationInfo

Summary

Identifies who or what created the Element.

Description

CreatedBy identifies who or what created the Element.

The generation method will assist the recipient of the Element in assessing the general reliability/accuracy of the analysis information.

Metadata

https://spdx.org/rdf/3.0/terms/Core/createdBy

Referenced

• /Core/CreationInfo

Summary

Identifies the tooling that was used during the creation of the Element.

Description

CreatedUsing identifies the tooling that was used during the creation of the Element.

The generation method will assist the recipient of the Element in assessing the general reliability/accuracy of the analysis information.

Metadata

https://spdx.org/rdf/3.0/terms/Core/createdUsing

Referenced

• /Core/CreationInfo

Summary

Provides information about the creation of the Element.

Description

CreationInfo provides information about the creation of the Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/creationInfo

Referenced

• /Core/Element

Summary

Provides the license under which the SPDX documentation of the Element can be used.

Description

The data license provides the license under which the SPDX documentation of the Element can be used.

This is to alleviate any concern that content (the data or database) in an SPDX file is subject to any form of intellectual property right that could restrict the re-use of the information or the creation of another SPDX file for the same project(s).

This approach avoids intellectual property and related restrictions over the SPDX file; however, individuals can still contract with each other to restrict release of specific collections of SPDX files (which map to software bill of materials) and the identification of the supplier of SPDX files.

Compliance with this document includes populating the SPDX fields therein with data related to such fields (“SPDX-Metadata”).

This document contains numerous fields where an SPDX file creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of “database rights” (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries.

By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license.

For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you “as-is” and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.

Metadata

https://spdx.org/rdf/3.0/terms/Core/dataLicense

Referenced

• /Core/SpdxDocument

Summary

Artifact representing a serialization instance of SPDX data containing the definition of a particular Element.

Description

A definingArtifact property is used to link the Element identifier for an Element defined external to a given SpdxDocument to an Artifact Element representing the SPDX serialization instance which contains the definition for the Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/definingArtifact

Referenced

• /Core/ExternalMap

Summary

Provides a detailed description of the Element.

Description

This field is a detailed description of the Element. It may also be extracted from the Element itself.

The intent is to provide recipients of the SPDX file with a detailed technical explanation of the functionality, anticipated use, and anticipated implementation of the Element.

This field may also include a description of improvements over prior versions of the Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/description

Referenced

• /Core/Element

Summary

Refers to one or more Elements that are part of an ElementCollection.

Description

This field refers to one or more Elements that are part of an ElementCollection.

Metadata

https://spdx.org/rdf/3.0/terms/Core/element

Referenced

• /Core/ElementCollection

Summary

Defines the end of a range.

Description

endIntegerRange is a positive integer that defines the end of a range.

Metadata

https://spdx.org/rdf/3.0/terms/Core/endIntegerRange

Referenced

• /Core/PositiveIntegerRange

Summary

Specifies the time from which an element is no longer applicable / valid.

Description

An endTime specifies the time from which element is no longer applicable / valid.

Metadata

https://spdx.org/rdf/3.0/terms/Core/endTime

Referenced

• /Core/Relationship

Summary

Specifies an Extension characterization of some aspect of an Element.

Description

extension specifies an Extension-based characterization of a particular aspect of an Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/extension

Referenced

• /Core/Element

Summary

Provides a reference to a resource outside the scope of SPDX 3.0 content that uniquely identifies an Element.

Description

ExternalIdentifier points to a resource outside the scope of SPDX 3.0 content that uniquely identifies an Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/externalIdentifier

Referenced

• /Core/Element

Summary

Specifies the type of the external identifier.

Description

An externalIdentifierType specifies the type of the external identifier.

Metadata

https://spdx.org/rdf/3.0/terms/Core/externalIdentifierType

Referenced

• /Core/ExternalIdentifier

Summary

Points to a resource outside the scope of the SPDX 3.0 content that provides additional characteristics of an Element.

Description

This field points to a resource outside the scope of the SPDX 3.0 content that provides additional characteristics of an Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/externalRef

Referenced

• /Core/Element

Summary

Specifies the type of the external reference.

Description

An externalRefType specifies the type of the external reference.

Metadata

https://spdx.org/rdf/3.0/terms/Core/externalRefType

Referenced

• /Core/ExternalRef

Summary

Identifies an external Element used within an SpdxDocument but defined external to that SpdxDocument.

Description

An externalSpdxId identifies an external Element used within an SpdxDocument but defined external to that SpdxDocument.

Metadata

https://spdx.org/rdf/3.0/terms/Core/externalSpdxId

Referenced

• /Core/ExternalMap

Summary

References the Element on the left-hand side of a relationship.

Description

This field references the Element on the left-hand side of a relationship.

Metadata

https://spdx.org/rdf/3.0/terms/Core/from

Referenced

• /Core/Relationship

Summary

The result of applying a hash algorithm to an Element.

Description

A hashValue is the result of applying a hash algorithm to an Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/hashValue

Referenced

• /Core/Hash
• /Core/PackageVerificationCode

Summary

Uniquely identifies an external element.

Description

An identifier uniquely identifies an external element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/identifier

Referenced

• /Core/ExternalIdentifier

Summary

Provides the location for more information regarding an external identifier.

Description

Identifiers are not always structured as URIs. An identifierLocator is a location hint (a URL) that provides contextual information relevant to the identifier.

Metadata

https://spdx.org/rdf/3.0/terms/Core/identifierLocator

Referenced

• /Core/ExternalIdentifier

Summary

Provides an ExternalMap of Element identifiers.

Description

An import provides an ExternalMap of an Element identifier that is used within a document but defined external to that document.

Metadata

https://spdx.org/rdf/3.0/terms/Core/import

Referenced

• /Core/SpdxDocument

Summary

An entity that is authorized to issue identification credentials.

Description

An issuingAuthority is an entity that is authorized to issue identification credentials.

The entity may be a government, non-profit, educational institution, or commercial enterprise.

The string provides a unique identifier for the issuing authority.

Metadata

https://spdx.org/rdf/3.0/terms/Core/issuingAuthority

Referenced

• /Core/ExternalIdentifier

Summary

A key used in a generic key-value pair.

Description

A key used in generic a key-value pair.

A key-value pair can be used to implement a dictionary which associates a key with a value.

Metadata

https://spdx.org/rdf/3.0/terms/Core/key

Referenced

• /Core/DictionaryEntry

Summary

Provides an indication of where to retrieve an external Element.

Description

A locationHint provides an indication of where to retrieve an external Element.

Metadata

https://spdx.org/rdf/3.0/terms/Core/locationHint

Referenced

• /Core/ExternalMap

Summary

Provides the location of an external reference.

Description

A locator provides the location of an external reference.

Metadata

https://spdx.org/rdf/3.0/terms/Core/locator

Referenced

• /Core/ExternalRef

Summary

Identifies the name of an Element as designated by the creator.

Description

This field identifies the name of an Element as designated by the creator.

The name of an Element is an important convention and easier to refer to than the URI.

Metadata

https://spdx.org/rdf/3.0/terms/Core/name

Referenced

• /Core/Element

Summary

Provides an unambiguous mechanism for conveying a URI fragment portion of an Element ID.

Description

A namespace provides an unambiguous mechanism for conveying a URI fragment portion of an Element ID.

Metadata

https://spdx.org/rdf/3.0/terms/Core/namespace

Referenced

• /Core/NamespaceMap

Summary

Provides a NamespaceMap of prefixes and associated namespace partial URIs applicable to an SpdxDocument and independent of any specific serialization format or instance.

Description

This field provides a NamespaceMap of prefixes and associated namespace partial URIs applicable to an SpdxDocument and independent of any specific serialization format or instance.

Metadata

https://spdx.org/rdf/3.0/terms/Core/namespaceMap

Referenced

• /Core/SpdxDocument

Summary

Identifies from where or whom the Element originally came.

Description

An originatedBy identifies from where or whom the Element originally came.

Metadata

https://spdx.org/rdf/3.0/terms/Core/originatedBy

Referenced

• /Core/Artifact

Summary

The relative file name of a file to be excluded from the PackageVerificationCode.

Description

A relative filename with the root of the package archive or directory referencing a file to be excluded from the PackageVerificationCode.

Every filename is preceded with a ./.

Metadata

https://spdx.org/rdf/3.0/terms/Core/packageVerificationCodeExcludedFile

Referenced

• /Core/PackageVerificationCode

Summary

A substitute for a URI.

Description

A prefix is a substitute for a URI.

Metadata

https://spdx.org/rdf/3.0/terms/Core/prefix

Referenced

• /Core/NamespaceMap

Summary

Describes one a profile which the creator of this ElementCollection intends to conform to.

Description

Describes a profile to which the creator of this ElementCollection intends to conform.

The profileConformance will apply to all Elements contained within the collection as well as the collection itself.

Conformance to a profile is defined by the additional restrictions documented in the profile specific documentation and schema files.

Use of this property allows the creator of an ElementCollection to communicate to consumers their intent to adhere to the profile additional restrictions.

The profileConformance has a default value of “core” if no other profileConformance is specified since all ElementCollections and Element shall adhere to the Core profile.

Metadata

https://spdx.org/rdf/3.0/terms/Core/profileConformance

Referenced

• /Core/ElementCollection

Summary

Information about the relationship between two Elements.

Description

This field provides information about the relationship between two Elements.

For example, you can represent a relationship between two different Files, between a Package and a File, between two Packages, or between one SpdxDocument and another SpdxDocument.

Metadata

https://spdx.org/rdf/3.0/terms/Core/relationshipType

Referenced

• /Core/Relationship

Summary

Specifies the time an artifact was released.

Description

A releaseTime specifies the time an artifact was released.

Metadata

https://spdx.org/rdf/3.0/terms/Core/releaseTime

Referenced

• /Core/Artifact

Summary

This property is used to denote the root Element(s) of a tree of elements contained in a BOM.

Description

This property is used to denote the root Element(s) of a tree of elements contained in a BOM. The tree consists of other elements directly and indirectly related through properties or Relationships from the root.

Metadata

https://spdx.org/rdf/3.0/terms/Core/rootElement

Referenced

• /Core/ElementCollection

Summary

Capture the scope of information about a specific relationship between elements.

Description

A scope is additional context about a relationship, that clarifies the relationship between elements.

Metadata

https://spdx.org/rdf/3.0/terms/Core/scope

Referenced

• /Core/LifecycleScopedRelationship

Summary

Identifies an Element to be referenced by other Elements.

Description

An spdxId uniquely identifies an Element which may thereby be referenced by other Elements. These references may be internal or external. While there may be several versions of the same Element, each one needs to be able to be referred to uniquely so that relationships between Elements can be clearly articulated.

Metadata

https://spdx.org/rdf/3.0/terms/Core/spdxId