Software Package Data Exchange
Software Package Data Exchange (SPDX) is an open standard for software bill of materials (SBOM).[1] SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software.[2] Its original purpose was to improve license compliance,[3] and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security.[4] SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.
The current version of the standard is 2.2.1.[5]
Version history[]
Version number | Publication date | Notes | References |
---|---|---|---|
1.0 | August 2011 | The first release of the SPDX specification; handles packages. | [3] |
1.1 | August 2012 | Fixed a flaw in the SPDX Package Verification Code (a cryptographic hash function) and added support for free-form comments. | [6] |
1.2 | October 2013 | Improved interaction with the SPDX License List, and added new fields for documenting extra information about software projects. | [7] |
2.0 | May 2015 | Added the ability to describe multiple packages and the relationships between different packages and files. | [8] |
2.1 | November 2016 | Added support for describing 'snippets' of code and the ability to reference non-SPDX data (such as CVEs). | [9][10] |
2.2 | May 2020 | Added 'SPDX-lite' profile for minimal software bill of materials and improved support for external references. | [11] |
2.2.1 | October 2020 | Functionally equivalent to SPDX 2.2 but with typesetting for publication as an ISO standard. | [12] |
The first version of the SPDX specification was intended to make compliance with software licenses easier,[3] but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known software vulnerabilities.[10] Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'.[13]
SPDX 2.2.1 was submitted to the International Organization for Standardization (ISO) in October, 2020, and was published as ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1 in August, 2021.[12][14]
License syntax[]
Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0".
Licenses can be combined by operators AND
and OR
, and grouping (
, )
.
For example, (Apache-2.0 OR MIT)
means that one can choose between Apache-2.0
(Apache License) or MIT
(MIT license). On the other hand, (Apache-2.0 AND MIT)
means that both licenses apply.
There is also a "+" operator, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+
means that Apache-1.1
and Apache-2.0
may apply (and future versions if any).
SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".[15]
In 2020, the European Commission publishes its Joinup Licensing Assistant,[16] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.
Deprecated license identifiers[]
The GNU family of licenses (e.g., GNU General Public License version 2) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression GPL-2.0
meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".[17] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names.[18] GPL-2.0-only
means "exactly version 2.0" and GPL-2.0-or-later
means "version 2.0 or any later version".
See also[]
References[]
- ^ Stewart, Kate (May 25, 2021). "SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security". Linux Foundation. Retrieved 2021-08-13.
- ^ "Survey of Existing SBOM Formats and Standards" (PDF). National Telecommunications and Information Administration. October 25, 2019. p. 9. Retrieved 2021-08-13.
- ^ a b c Bridgwater, Adrian (August 19, 2011). "Linux Foundation eases open source licensing woes". Computer Weekly. Retrieved 2021-08-13.
- ^ Rushgrove, Gareth (June 16, 2021). "Advancing SBOM standards: Snyk and SPDX". Retrieved 2021-08-14.
- ^ "SPDX Current version". spdx.dev. Retrieved 2021-12-01.
- ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. August 30, 2012. Retrieved 2021-12-01.
- ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. October 22, 2013. Retrieved 2021-12-01.
- ^ "What's new in SPDX 2.0". LWN.net. May 20, 2015. Retrieved 2021-12-01.
- ^ "General Meeting/Minutes/2016-11-03". wiki.spdx.org. November 3, 2016. Retrieved 2021-12-01.
- ^ a b "The Linux Foundation's Open Compliance Initiative Releases New SPDX Specification". Linux Foundation. October 4, 2016. Retrieved 2021-12-01.
- ^ "SPDX 2.2 Specification Released". Linux Foundation. May 7, 2020. Retrieved 2021-12-01.
- ^ a b "ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1". iso.org. Retrieved 2021-12-01.
- ^ "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). National Telecommunications and Information Administration. Retrieved 2021-12-01.
- ^ Bernard, Allen (September 9, 2021). "SPDX becomes internationally recognized standard". TechRepublic. Retrieved 2021-12-01.
- ^ Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
- ^ "Joinup Licensing Assistant". Retrieved 31 March 2020.
- ^ Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". gnu.org. Retrieved 2018-05-24.
- ^ Jilayne Lovejoy (5 January 2018). "License List 3.0 Released!". spdx.dev. Archived from the original on 2018-01-05. Retrieved 2021-09-02.
External links[]
- Official website
- SPDX on the ISO website
- Linux Foundation Open Compliance Program
- Nathan Willis: A SPDX case study LWN.net
- Computer standards
- Linux Foundation projects
- ISO standards
- IEC standards