SPDX, short for Software Package Data Exchange, has become an industry-standard for sharing data about software packages. It primarily focuses on conveying information about open source licenses, but its scope has expanded over time to encompass a broader range of software supply chain data.

The importance of SPDX soared after the U.S. federal government's 2021 cybersecurity directive EO14028 endorsed it as an approved software bill of materials (SBOM) format.

SPDX was initiated in 2010 by the Linux Foundation, making it one of the earlier SBOM standards. As of June 2023, the latest release is version 2.3.

Diverse Applications of SPDX

While SPDX began with a primary focus on open source license compliance, it has grown to provide detailed software bill of materials information. Its capabilities include:

  • License Information: Capturing the full details of open source licenses associated with a software package.
  • Provenance: Documenting the origin and history of a software component.
  • Relationships: Describing relationships between different software components.
  • Annotations: Providing additional context or notes related to software components.

The Linux Foundation and the SPDX community continue to push the boundaries of the standard, ensuring that it remains robust and relevant in the face of evolving software supply chain challenges.

SPDX Bill of Materials Elements

The SPDX specification revolves around several primary elements: document creation, package information, file information, snippet information, and other licensing. These elements serve distinct roles, from offering a high-level overview of a software package to detailing individual file-level metadata.

Recent enhancements to SPDX have seen a broader acceptance of file formats, greater granularity in license identification, and more comprehensive documentation capabilities.

SPDX vs. CycloneDX

Both SPDX and CycloneDX play pivotal roles in the SBOM ecosystem, with both formats being human-readable and machine-processable. As previously mentioned in the CycloneDX context, the U.S. government’s 2021 cybersecurity order recognizes both formats. Their primary differences are:

  • Origins: SPDX was tailored primarily for open source license compliance, whereas CycloneDX had a more security-centric inception.
  • File Formats: While both standards embrace JSON and XML, SPDX uniquely supports YAML and Excel, setting it apart from CycloneDX’s Protocol Buffers.

Generating an SPDX Document

Creating an accurate SPDX document often requires integrating SPDX generation tools into your build or CI/CD process. This ensures the software components and licenses are captured correctly and in real-time. Tools like DoSOCSv2, sw360, and SPDX-Tools can be used when creating SPDX documents in various formats, like JSON, XML, or YAML.