This specification describes the SPDX® language, defined as a dictionary of named properties and classes using W3C's RDF Technology.
SPDX® is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. SPDX reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance.
.
Known issues:
- rdfs:comment and rdfs:seeAlso are used within the SPDX classes and causes a redefinition of these standard terms
SPDX 2.3
2.3
Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.
stable
Provide additional information about an SpdxElement.
stable
Type of the annotation.
stable
Deprecated as of version 2.1
Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name properties and the URI (if one is known) of doap:Project resources that are values of this property. All other properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.
true
deprecated
The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.
stable
The creationInfo property relates an SpdxDocument to a set of information about the creation of the SpdxDocument.
stable
Cross Reference Detail for a license SeeAlso URL
Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields ("SPDX-Metadata"). The SPDX specification contains numerous fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of "database rights" (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you "as-is" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
stable
The describesPackage property relates an SpdxDocument to the package which it describes.
stable
Identify any external SPDX documents referenced within this SPDX document.
stable
An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package.
stable
This field is deprecated since SPDX 2.0 in favor of using Section 7 which provides more granularity about relationships.
true
deprecated
The type of the file.
stable
Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.
stable
Indicates that a particular file belongs to a package.
stable
The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item.
If the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION.
stable
The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.
stable
An exception to a license.
stable
The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.
If the licenseInfoFromFiles field is not present for a package and filesAnalyzed property for that same pacakge is true or omitted, it implies an equivalent meaning to NOASSERTION.
stable
Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.
If the licenseInfoInFile field is not present for a file, it implies an equivalent meaning to NOASSERTION.
stable
Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.
If the licenseInfoInSnippet field is not present for a snippet, it implies an equivalent meaning to NOASSERTION.
stable
A license, or other licensing information, that is a member of the subject license set.
stable
A manifest based verification code (the algorithm is defined in section 3.9.4 of the full specification) of the package. This allows consumers of this data and/or database to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package.
stable
This field provides information about the primary purpose of the identified package. Package Purpose is intrinsic to how the package is being used rather than the content of the package.
stable
This field defines the byte range in the original host file (in X.2) that the snippet information applies to
stable
Category for the external reference
stable
Type of the external reference. These are definined in an appendix in the SPDX specification.
stable
Indicates that a particular file belongs as part of the set of analyzed files in the SpdxDocument.
This property has been replaced by a relationship between the SPDX document and file with a "contains" relationship type.
true
deprecated
A related SpdxElement.
stable
Defines a relationship between two SPDX elements. The SPDX element may be a Package, File, or SpdxDocument.
stable
Describes the type of relationship between two SPDX elements.
stable
File containing the SPDX element (e.g. the file contaning a snippet).
stable
A property containing an SPDX document.
stable
stable
stable
stable
Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.
stable
This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.
stable
This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.
stable
This field provides a place for recording the actual date the package was built.
stable
The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.
stable
Example for use of the external repository identifier
stable
The text of copyright declarations recited in the package, file or snippet.
If the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION.
stable
Identify when the SPDX document was originally created. The date is to be specified according to combined date and time in UTC format as specified in ISO 8601 standard.
stable
Identify who (or what, in the case of a tool) created the SPDX document. If the SPDX document was created by an individual, indicate the person's name. If the SPDX document was created on behalf of a company or organization, indicate the entity name. If the SPDX document was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.
stable
A date-time stamp.
stable
License list version where this license was decprecated
stable
Provides a detailed description of the package.
stable
Website containing the documentation related to the repository identifier
stable
The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property. The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.
stable
Text for examples in describing an SPDX element.
stable
HTML representation of the License Exception Text
stable
externalDocumentId is a string containing letters, numbers, ., - and/or + which uniquely identifies an external document within this document.
stable
Website for the maintainers of the external reference site
stable
Provide a copy of the actual text of the license reference extracted from the package, file or snippet that is associated with the License Identifier to aid in future analysis.
stable
This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.
stable
The name of the file relative to the root of the package.
stable
Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If set to false, the package must not contain any files.
stable
Indicate a URL is still a live accessible location on the public internet
Indicates if the OSI has approved the license.
stable
True if the URL is a valid well formed URL
True if the License SeeAlso URL points to a Wayback archive
The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.
stable
Short form license exception identifier in Appendix I.2 of the SPDX specification.
stable
Template for matching license exception text
stable
Full text of the license exception.
stable
A human readable short form license identifier for a license. The license ID is either on the standard license list or the form "LicenseRef-[idString]" where [idString] is a unique string containing letters, numbers, "." or "-". When used within a license expression, the license ID can optionally include a reference to an external document in the form "DocumentRef-[docrefIdString]:LicenseRef-[idString]" where docRefIdString is an ID for an external document reference.
stable
An optional field for creators of the SPDX file to provide the version of the SPDX License List used when the SPDX file was created.
stable
Full text of the license.
stable
License text in HTML format
stable
Status of a License List SeeAlso URL reference if it refers to a website that matches the license text.
Identify name of this SpdxElement.
stable
This field provides a place for the SPDX file creator to record potential legal notices found in the file. This may or may not include copyright statements.
stable
The ordinal order of this element within a list
The name and, optionally, contact information of the person or organization that originally created the package. Values of this property must conform to the agent and tool syntax.
The base name of the package file name. For example, zlib-1.2.5.tar.gz.
stable
Identify the full name of the package as given by Package Originator.
stable
A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.
stable
The actual package verification code as a hex encoded value.
stable
The unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location. The format of the locator is subject to constraints defined by the <type>.
stable
This field provides a place for recording the date the package was released.
stable
Deprecated in favor of Annotation with an annotationType_review.
The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.
true
deprecated
The name and, optionally, contact information of the person who performed the review. Values of this property must conform to the agent and tool syntax. The reviewer property is deprecated in favor of Annotation with an annotationType review.
true
deprecated
Identify a specific snippet in a human convenient manner.
stable
Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.
stable
Provide a reference number that can be used to understand how to parse and interpret the rest of the file. It will enable both future changes to the specification and to support backward compatibility. The version number consists of a major and minor version indicator. The major field will be incremented when incompatible changes between versions are made (one or more sections are created, modified or deleted). The minor field will be incremented when backwards compatible changes are made.
License author's preferred text to indicated that a file is covered by the license.
stable
HTML representation of the standard license header
stable
License template which describes sections of the license header which can be varied. See License Template section of the specification for format information.
stable
License template which describes sections of the license which can be varied. See License Template section of the specification for format information.
stable
Provides a short description of the package.
stable
The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged. Values of this property must conform to the agent and tool syntax.
stable
Timestamp
URL Reference
This field provides a place for recording the end of the support period for a package from the supplier.
stable
Provides an indication of the version of the package that is described by this SpdxDocument.
stable
stable
stable
stable
1
1
1
1
An Annotation is a comment on an SpdxItem by an agent.
stable
This type describes the type of annotation. Annotations are usually created when someone reviews the file, and if this is the case the annotation type should be REVIEW.
stable
The AnyLicenseInfo class includes all resources that represent licensing information.
http://spdx.org/rdf/terms#AnyLicenseInfo
stable
1
1
A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented.
stable
Algorighm for Checksums.
stable
2
A ConjunctiveLicenseSet represents a set of licensing information all of which apply.
stable
1
1
1
1
One instance is required for each SPDX file produced. It provides the necessary information for forward and backward compatibility for processing tools.
stable
1
1
1
1
1
1
1
Cross reference details for the a URL reference
stable
2
A DisjunctiveLicenseSet represents a set of licensing information where only one license applies at a time. This class implies that the recipient gets to choose one of these licenses they would prefer to use.
stable
1
1
1
Information about an external SPDX document reference including the checksum. This allows for verification of the external references.
stable
1
1
1
1
An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package.
stable
1
An ExtractedLicensingInfo represents a license or licensing notice that was found in a package, file or snippet. Any license text that is recognized as a license may be represented as a License rather than an ExtractedLicensingInfo.
stable
0
1
0
0
0
0
1
1
A File represents a named sequence of information that is contained in a software package.
stable
Type of file.
stable
1
1
1
1
1
1
1
A License represents a copyright license. The SPDX license list website is annotated with these properties (using RDFa) to allow license data published there to be easily processed. The license list is populated in accordance with the License List fields guidelines. These guidelines are not normative and may change over time. SPDX tooling should not rely on values in the license list conforming to the current guidelines.
stable
0
1
1
1
1
1
1
An exception to a license.
stable
1
1
1
1
A license which is included in the SPDX License List (http://spdx.org/licenses).
stable
1
License exception specific to ListedLicenses
1
A license with an or later operator indicating this license version or any later version of the license
stable
1
0
0
0
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
A Package represents a collection of software files that are delivered as a single functional component.
stable
0
1
A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the SPDX Item. This allows consumers of this data and/or database to determine if an SPDX item they have in hand is identical to the SPDX item from which the data was produced. This algorithm works even if the SPDX document is included in the SPDX item.
stable
Package Purpose is intrinsic to how the package is being used rather than the content of the package.
stable
Category used for ExternalRef
stable
1
1
1
Types used to external reference identifiers.
stable
1
1
1
A Relationship represents a relationship between two SpdxElements.
stable
Type of relationship.
stable
1
1
1
This class has been deprecated in favor of an Annotation with an Annotation type of review.
true
deprecated
0
0
1
1
1
The SimpleLicenseInfo class includes all resources that represent simple, atomic, licensing information.
stable
0
1
1
The set of bytes in a file. The name of the snippet is the name of the file appended with the byte range in parenthesis (ie: "./file/name(2145:5532)")
stable
0
0
0
0
1
1
1
An SpdxDocument is a summary of the contents, provenance, ownership and licensing analysis of a specific software package. This is, effectively, the top level of SPDX information.
stable
0
0
1
1
An SpdxElement is any thing described in SPDX, either a document or an SpdxItem. SpdxElements can be related to other SpdxElements.
stable
1
0
0
1
1
An SpdxItem is a potentially copyrightable work.
stable
1
1
Sometimes a set of license terms apply except under special circumstances. In this case, use the binary "WITH" operator to construct a new license expression to represent the special exception situation. A valid <license-expression> is where the left operand is a <simple-expression> value and the right operand is a <license-exception-id> that represents the special exception terms.
stable
1
stable
stable
1
stable
stable
stable
1
stable
1
1
stable
Type of annotation which does not fit in any of the pre-defined annotation types.
stable
A Review represents an audit and signoff by an individual, organization or tool on the information for an SpdxElement.
stable
Indicates the algorithm used was ADLER32.
stable
Indicates the algorithm used was BLAKE2b-256.
stable
Indicates the algorithm used was BLAKE2b-384.
stable
Indicates the algorithm used was BLAKE2b-512.
stable
Indicates the algorithm used was BLAKE3.
stable
Indicates the algorithm used was MD2
stable
Indicates the algorithm used was MD4
stable
Indicates the algorithm used was MD5
stable
Indicates the algorithm used was MD6
stable
Indicates the algorithm used was SHA-1
stable
Indicates the algorithm used was SHA224
stable
Indicates the algorithm used was SHA256
stable
Indicates the algorithm used was SHA384
stable
Indicates the algorithm used was SHA3-256.
stable
Indicates the algorithm used was SHA3-384.
stable
Indicates the algorithm used was SHA3-512.
stable
Indicates the algorithm used was SHA512
stable
The file is associated with a specific application type (MIME type of application/* )
stable
Indicates the file is an archive file.
stable
The file is associated with an audio file (MIME type of audio/* , ie. .mp3 );
IMAGE if the file is assoicated with an picture image file (MIME type of image/*, ie. .jpg, .gif )
stable
Indicates the file is not a text file. spdx:filetype_archive is preferred for archive files even though they are binary.
stable
The file serves as documentation.
stable
The file is assoicated with an picture image file (MIME type of image/*, ie. .jpg, .gif ).
stable
Indicates the file is not a source, archive or binary file.
stable
Indicates the file is a source code file.
stable
The file is an SPDX document.
stable
The file is human readable text file (MIME type of text/*).
stable
The file is associated with a video file type (MIME type of video/*).
stable
Individual to indicate the creator of the SPDX document does not assert any value for the object.
Individual to indicate that no value is applicable for the Object.
The package is a software application.
stable
The package refers to an archived collection of files (.tar, .zip, etc).
stable
The package refers to a container image which can be used by a container runtime application.
stable
The package refers to a chipset, processor, or electronic board.
stable
The package is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc).
stable
The package provides low level control over a device's hardware.
stable
The package is a software framework.
stable
The package is used to install software on disk.
stable
The package is a software library.
stable
The package refers to an operating system.
stable
The package doesn't fit into other purpose defined terms.
stable
The package is a collection of source files.
stable
stable
stable
These point to objects present in the Software Heritage archive by the means of persistent identifiers that are guaranteed to remain stable (persistent) over time.
stable
stable
To be used when SPDXRef-A amends the SPDX information in SPDXRef-B.
stable
A Relationship of relationshipType_ancestorOf expresses that an SPDXElement is an ancestor of (same lineage but pre-dates) the relatedSPDXElement. For example, an upstream File is an ancestor of a modified downstream File
stable
Is to be used when SPDXRef-A is a build dependency of SPDXRef-B.
stable
To be used when SPDXRef-A is used to to build SPDXRef-B.
stable
A Relationship of relationshipType_containedBy expresses that an SPDXElement is contained by the relatedSPDXElement. For example, a File contained by a Package.
stable
A Relationship of relationshipType_contains expresses that an SPDXElement contains the relatedSPDXElement. For example, a Package contains a File. (relationshipType_contains introduced in SPDX 2.0 deprecates property 'hasFile' from SPDX 1.2)
stable
A Relationship of relationshipType_copyOf expresses that the SPDXElement is an exact copy of the relatedSDPXElement. For example, a downstream distribution of a binary library which was copied from the upstream package.
stable
Is to be used when SPDXRef-A is a data file used in SPDXRef-B. Replaced by relationshipType_dataFileOf
true
deprecated
Is to be used when SPDXRef-A is a data file used in SPDXRef-B.
stable
Is to be used when SPDXRef-A is a manifest file that lists a set of dependencies for SPDXRef-B.
stable
Is to be used when SPDXRef-A is dependency of SPDXRef-B.
stable
Is to be used when SPDXRef-A depends on SPDXRef-B.
stable
A Relationship of relationshipType_descendantOf expresses that an SPDXElement is a descendant of (same lineage but post-dates) the relatedSPDXElement. For example, an downstream File that was modified is a descendant of an upstream File
stable
Is to be used an SPDXRef-A is described by SPDXRef-Document.
stable
Is to be used when SPDXRef-DOCUMENT describes SPDXRef-A.
stable
Is to be used when SPDXRef-A is a development dependency of SPDXRef-B.
stable
Is to be used when SPDXRef-A is a development dependency of SPDXRef-B.
stable
A Relationship of relationshipType_distributionArtifact expresses that distributing the SPDXElement requires that the relatedSPDXElement also be distributed. For example, distributing a binary File may require that a source tarball (another File) be made available with the distribuiton.
stable
To be used when SPDXRef-A provides documentation of SPDXRef-B.
stable
Is to be used when SPDXRef-A dynamically links to SPDXRef-B.
stable
Is to be used when SPDXRef-A is an example of SPDXRef-B.
stable
A Relationship of relationshipType_expandedFromArchive expresses that the SPDXElement is a file which was epanded from a relatedSPDXElement file. For example, if there is an archive file xyz.tar.gz containing a file foo.c the archive file was expanded in a directory arch/xyz, the file arch/xyz/foo.c would have a relationshipType_expandedFromArchive with the file xyz.tar.gz.
stable
A Relationship of relationshipType_fileAdded expresses that the SPDXElement is a file which has been added to the relatedSPDXElement package. For example, a package (the relatedSPDXElement) has been patched to remove a file (the SPDXElement). This relationship is typically used to express the result of a patched package when the actual patchfile is not present.
stable
A Relationship of relationshipType_fileDeleted expresses that the SPDXElement is a package where the relatedSPDXElement file has been removed. For example, a package has been patched to remove a file a file (the relatedSPDXElement resulting in the patched package (the SPDXElement). This relationship is typically used to express the result of a patched package when the actual patchfile is not present.
stable
A Relationship of relationshipType_fileModified expresses that the SPDXElement is a file which is a modified version of the relatedSPDXElement file. For example, a file (the SPDXElement) has been patched to modify the contents of the original file (the SPDXElement). This relationship is typically used to express the result of a patched package when the actual patchfile is not present.
stable
A Relationship of relationshipType_generatedFrom expresses that an SPDXElement was generated from the relatedSPDXElement. For example, a binary File might have been generated from a source File.
stable
A Relationship of relationshipType_generates expresses that an SPDXElement generates the relatedSPDXElement. For example, a source File generates a binary File.
stable
Is to be used when SPDXRef-A has as a prerequisite SPDXRef-B.
stable
To be used when SPDXRef-A is a metafile of SPDXRef-B.
stable
To be used when SPDXRef-A is an optional component of SPDXRef-B.
stable
Is to be used when SPDXRef-A is an optional dependency of SPDXRef-B.
stable
to be used for a relationship which has not been defined in the formal SPDX specification. A description of the relationship should be included in the Relationship comments field.
stable
To be used when SPDXRef-A is used as a package as part of SPDXRef-B.
stable
A Relationship of relationshipType_patchApplied expresses that the SPDXElement is a 'patchfile' that was applied and produced the relatedSPDXElement. For example, a .diff File relates to a specific file where the diff was applied.
stable
A Relationship of relationshipType_patchFor expresses that the SPDXElement is a 'patchfile' that is designed to patch (apply modifications to) the relatedSPDXElement. For example, relationship from a .diff File to a Package it is designed to patch.
stable
Is to be used when SPDXRef-A is a prerequisite for SPDXRef-B
stable
Is to be used when SPDXRef-A is a to be provided dependency of SPDXRef-B.
stable
Is to be used when SPDXRef-A describes, illustrates, or specifies a requirement statement for SPDXRef-B.
stable
Is to be used when SPDXRef-A is a dependency required for the execution of SPDXRef-B.
stable
Is to be used when SPDXRef-A describes, illustrates, or defines a design specification for SPDXRef-B.
stable
Is to be used when SPDXRef-A statically links to SPDXRef-B.
stable
Is to be used when SPDXRef-A is a test dependency of SPDXRef-B.
stable
Is to be used when SPDXRef-A is used for testing SPDXRef-B.
stable
Is to be used when SPDXRef-A is used as a test tool for SPDXRef-B.
stable
Is to be used when SPDXRef-A is a test case used in testing SPDXRef-B.
stable
A Relationship of relationshipType_variantOf expresses that an SPDXElement is a variant of the relatedSPDXElement, but it is not clear which came first. For example, if the content of two Files differs by some edit, but there is no way to tell which came first (no reliable date information), then one File is a variant of the other File.
stable
1
This property has been deprecated since SPDX version 2.0. It has been replaced by an Annotation with an annotation type review.
Reviewed
deprecated
true