SYSTEM Cited by 1 source

SPDX

SPDX — Software Package Data Exchange — is a Linux Foundation-stewarded open standard for exchanging Software Bill of Materials data. It's an ISO/IEC standard (ISO/IEC 5962:2021) widely used for license-compliance workflows, with schema support for packages, files, relationships, licenses, and snippets.

SPDX is one of the two industry-canonical SBOM formats (the other being CycloneDX); tools like systems/syft can emit either format from the same scan, and tools like systems/grype accept either as input.

Key elements

• packages — components in the artifact. Identified by name + version + SPDXID + optional purl + checksums + licenseConcluded.
• files — individual files within packages (finer granularity than CycloneDX defaults to).
• relationships — typed edges between packages / files (DEPENDS_ON, CONTAINS, GENERATED_FROM, etc.).
• licenses — SPDX License Identifiers (Apache-2.0, MIT, GPL-3.0-only, etc.) — the identifier system itself is a canonical artifact, widely used beyond SBOMs.
• Output formats: tag-value (.spdx), JSON, YAML, RDF, XML.

Canonical wiki use (Zalando 2023-04-12)

Named alongside CycloneDX as a "common format" at Zalando: "Common formats like CycloneDX or SPDX help with portability and integration into various tooling." (Source: sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game).

Seen in

• sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game — canonical wiki mention.

Related

• concepts/sbom-software-bill-of-materials — the concept SPDX realises.
• systems/cyclonedx — the other canonical SBOM format.
• systems/syft — common generator that emits SPDX.
• systems/grype — common vulnerability scanner that consumes SPDX.