This specification describes the SPDX® language, defined as a dictionary of named properties and classes using W3C's RDF Technology. SPDX® is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. SPDX reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance. . Known issues: - rdfs:comment and rdfs:seeAlso are used within the SPDX classes and causes a redefinition of these standard terms SPDX 2.3 2.3 Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time. stable Provide additional information about an SpdxElement. stable Type of the annotation. stable Deprecated as of version 2.1 Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name properties and the URI (if one is known) of doap:Project resources that are values of this property. All other properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats. true deprecated The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed. stable The creationInfo property relates an SpdxDocument to a set of information about the creation of the SpdxDocument. stable Cross Reference Detail for a license SeeAlso URL Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields ("SPDX-Metadata"). The SPDX specification contains numerous fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of "database rights" (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you "as-is" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law. stable The describesPackage property relates an SpdxDocument to the package which it describes. stable Identify any external SPDX documents referenced within this SPDX document. stable An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package. stable This field is deprecated since SPDX 2.0 in favor of using Section 7 which provides more granularity about relationships. true deprecated The type of the file. stable Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument. stable Indicates that a particular file belongs to a package. stable The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the SPDX Item. If the licenseConcluded field is not present for an SPDX Item, it implies an equivalent meaning to NOASSERTION. stable The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist. stable An exception to a license. stable The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package. If the licenseInfoFromFiles field is not present for a package and filesAnalyzed property for that same pacakge is true or omitted, it implies an equivalent meaning to NOASSERTION. stable Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file. If the licenseInfoInFile field is not present for a file, it implies an equivalent meaning to NOASSERTION. stable Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet. If the licenseInfoInSnippet field is not present for a snippet, it implies an equivalent meaning to NOASSERTION. stable A license, or other licensing information, that is a member of the subject license set. stable A manifest based verification code (the algorithm is defined in section 3.9.4 of the full specification) of the package. This allows consumers of this data and/or database to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. stable This field provides information about the primary purpose of the identified package. Package Purpose is intrinsic to how the package is being used rather than the content of the package. stable This field defines the byte range in the original host file (in X.2) that the snippet information applies to stable Category for the external reference stable Type of the external reference. These are definined in an appendix in the SPDX specification. stable Indicates that a particular file belongs as part of the set of analyzed files in the SpdxDocument. This property has been replaced by a relationship between the SPDX document and file with a "contains" relationship type. true deprecated A related SpdxElement. stable Defines a relationship between two SPDX elements. The SPDX element may be a Package, File, or SpdxDocument. stable Describes the type of relationship between two SPDX elements. stable File containing the SPDX element (e.g. the file contaning a snippet). stable A property containing an SPDX document. stable stable stable stable Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard. stable This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document. stable This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce. stable This field provides a place for recording the actual date the package was built. stable The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm. stable Example for use of the external repository identifier stable The text of copyright declarations recited in the package, file or snippet. If the copyrightText field is not present, it implies an equivalent meaning to NOASSERTION. stable Identify when the SPDX document was originally created. The date is to be specified according to combined date and time in UTC format as specified in ISO 8601 standard. stable Identify who (or what, in the case of a tool) created the SPDX document. If the SPDX document was created by an individual, indicate the person's name. If the SPDX document was created on behalf of a company or organization, indicate the entity name. If the SPDX document was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate. stable A date-time stamp. stable License list version where this license was decprecated stable Provides a detailed description of the package. stable Website containing the documentation related to the repository identifier stable The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property. The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively. stable Text for examples in describing an SPDX element. stable HTML representation of the License Exception Text stable externalDocumentId is a string containing letters, numbers, ., - and/or + which uniquely identifies an external document within this document. stable Website for the maintainers of the external reference site stable Provide a copy of the actual text of the license reference extracted from the package, file or snippet that is associated with the License Identifier to aid in future analysis. stable This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content. stable The name of the file relative to the root of the package. stable Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If set to false, the package must not contain any files. stable Indicate a URL is still a live accessible location on the public internet Indicates if the OSI has approved the license. stable True if the URL is a valid well formed URL True if the License SeeAlso URL points to a Wayback archive The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen. stable Short form license exception identifier in Appendix I.2 of the SPDX specification. stable Template for matching license exception text stable Full text of the license exception. stable A human readable short form license identifier for a license. The license ID is either on the standard license list or the form "LicenseRef-[idString]" where [idString] is a unique string containing letters, numbers, "." or "-". When used within a license expression, the license ID can optionally include a reference to an external document in the form "DocumentRef-[docrefIdString]:LicenseRef-[idString]" where docRefIdString is an ID for an external document reference. stable An optional field for creators of the SPDX file to provide the version of the SPDX License List used when the SPDX file was created. stable Full text of the license. stable License text in HTML format stable Status of a License List SeeAlso URL reference if it refers to a website that matches the license text. Identify name of this SpdxElement. stable This field provides a place for the SPDX file creator to record potential legal notices found in the file. This may or may not include copyright statements. stable The ordinal order of this element within a list The name and, optionally, contact information of the person or organization that originally created the package. Values of this property must conform to the agent and tool syntax. The base name of the package file name. For example, zlib-1.2.5.tar.gz. stable Identify the full name of the package as given by Package Originator. stable A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files. stable The actual package verification code as a hex encoded value. stable The unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location. The format of the locator is subject to constraints defined by the <type>. stable This field provides a place for recording the date the package was released. stable Deprecated in favor of Annotation with an annotationType_review. The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator. true deprecated The name and, optionally, contact information of the person who performed the review. Values of this property must conform to the agent and tool syntax. The reviewer property is deprecated in favor of Annotation with an annotationType review. true deprecated Identify a specific snippet in a human convenient manner. stable Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source. stable Provide a reference number that can be used to understand how to parse and interpret the rest of the file. It will enable both future changes to the specification and to support backward compatibility. The version number consists of a major and minor version indicator. The major field will be incremented when incompatible changes between versions are made (one or more sections are created, modified or deleted). The minor field will be incremented when backwards compatible changes are made. License author's preferred text to indicated that a file is covered by the license. stable HTML representation of the standard license header stable License template which describes sections of the license header which can be varied. See License Template section of the specification for format information. stable License template which describes sections of the license which can be varied. See License Template section of the specification for format information. stable Provides a short description of the package. stable The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged. Values of this property must conform to the agent and tool syntax. stable Timestamp URL Reference This field provides a place for recording the end of the support period for a package from the supplier. stable Provides an indication of the version of the package that is described by this SpdxDocument. stable stable stable stable 1 1 1 1 An Annotation is a comment on an SpdxItem by an agent. stable This type describes the type of annotation. Annotations are usually created when someone reviews the file, and if this is the case the annotation type should be REVIEW. stable The AnyLicenseInfo class includes all resources that represent licensing information. http://spdx.org/rdf/terms#AnyLicenseInfo stable 1 1 A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented. stable Algorighm for Checksums. stable 2 A ConjunctiveLicenseSet represents a set of licensing information all of which apply. stable 1 1 1 1 One instance is required for each SPDX file produced. It provides the necessary information for forward and backward compatibility for processing tools. stable 1 1 1 1 1 1 1 Cross reference details for the a URL reference stable 2 A DisjunctiveLicenseSet represents a set of licensing information where only one license applies at a time. This class implies that the recipient gets to choose one of these licenses they would prefer to use. stable 1 1 1 Information about an external SPDX document reference including the checksum. This allows for verification of the external references. stable 1 1 1 1 An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package. stable 1 An ExtractedLicensingInfo represents a license or licensing notice that was found in a package, file or snippet. Any license text that is recognized as a license may be represented as a License rather than an ExtractedLicensingInfo. stable 0 1 0 0 0 0 1 1 A File represents a named sequence of information that is contained in a software package. stable Type of file. stable 1 1 1 1 1 1 1 A License represents a copyright license. The SPDX license list website is annotated with these properties (using RDFa) to allow license data published there to be easily processed. The license list is populated in accordance with the License List fields guidelines. These guidelines are not normative and may change over time. SPDX tooling should not rely on values in the license list conforming to the current guidelines. stable 0 1 1 1 1 1 1 An exception to a license. stable 1 1 1 1 A license which is included in the SPDX License List (http://spdx.org/licenses). stable 1 License exception specific to ListedLicenses 1 A license with an or later operator indicating this license version or any later version of the license stable 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 A Package represents a collection of software files that are delivered as a single functional component. stable 0 1 A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the SPDX Item. This allows consumers of this data and/or database to determine if an SPDX item they have in hand is identical to the SPDX item from which the data was produced. This algorithm works even if the SPDX document is included in the SPDX item. stable Package Purpose is intrinsic to how the package is being used rather than the content of the package. stable Category used for ExternalRef stable 1 1 1 Types used to external reference identifiers. stable 1 1 1 A Relationship represents a relationship between two SpdxElements. stable Type of relationship. stable 1 1 1 This class has been deprecated in favor of an Annotation with an Annotation type of review. true deprecated 0 0 1 1 1 The SimpleLicenseInfo class includes all resources that represent simple, atomic, licensing information. stable 0 1 1 The set of bytes in a file. The name of the snippet is the name of the file appended with the byte range in parenthesis (ie: "./file/name(2145:5532)") stable 0 0 0 0 1 1 1 An SpdxDocument is a summary of the contents, provenance, ownership and licensing analysis of a specific software package. This is, effectively, the top level of SPDX information. stable 0 0 1 1 An SpdxElement is any thing described in SPDX, either a document or an SpdxItem. SpdxElements can be related to other SpdxElements. stable 1 0 0 1 1 An SpdxItem is a potentially copyrightable work. stable 1 1 Sometimes a set of license terms apply except under special circumstances. In this case, use the binary "WITH" operator to construct a new license expression to represent the special exception situation. A valid <license-expression> is where the left operand is a <simple-expression> value and the right operand is a <license-exception-id> that represents the special exception terms. stable 1 stable stable 1 stable stable stable 1 stable 1 1 stable Type of annotation which does not fit in any of the pre-defined annotation types. stable A Review represents an audit and signoff by an individual, organization or tool on the information for an SpdxElement. stable Indicates the algorithm used was ADLER32. stable Indicates the algorithm used was BLAKE2b-256. stable Indicates the algorithm used was BLAKE2b-384. stable Indicates the algorithm used was BLAKE2b-512. stable Indicates the algorithm used was BLAKE3. stable Indicates the algorithm used was MD2 stable Indicates the algorithm used was MD4 stable Indicates the algorithm used was MD5 stable Indicates the algorithm used was MD6 stable Indicates the algorithm used was SHA-1 stable Indicates the algorithm used was SHA224 stable Indicates the algorithm used was SHA256 stable Indicates the algorithm used was SHA384 stable Indicates the algorithm used was SHA3-256. stable Indicates the algorithm used was SHA3-384. stable Indicates the algorithm used was SHA3-512. stable Indicates the algorithm used was SHA512 stable The file is associated with a specific application type (MIME type of application/* ) stable Indicates the file is an archive file. stable The file is associated with an audio file (MIME type of audio/* , ie. .mp3 ); IMAGE if the file is assoicated with an picture image file (MIME type of image/*, ie. .jpg, .gif ) stable Indicates the file is not a text file. spdx:filetype_archive is preferred for archive files even though they are binary. stable The file serves as documentation. stable The file is assoicated with an picture image file (MIME type of image/*, ie. .jpg, .gif ). stable Indicates the file is not a source, archive or binary file. stable Indicates the file is a source code file. stable The file is an SPDX document. stable The file is human readable text file (MIME type of text/*). stable The file is associated with a video file type (MIME type of video/*). stable Individual to indicate the creator of the SPDX document does not assert any value for the object. Individual to indicate that no value is applicable for the Object. The package is a software application. stable The package refers to an archived collection of files (.tar, .zip, etc). stable The package refers to a container image which can be used by a container runtime application. stable The package refers to a chipset, processor, or electronic board. stable The package is a single file which can be independently distributed (configuration file, statically linked binary, Kubernetes deployment, etc). stable The package provides low level control over a device's hardware. stable The package is a software framework. stable The package is used to install software on disk. stable The package is a software library. stable The package refers to an operating system. stable The package doesn't fit into other purpose defined terms. stable The package is a collection of source files. stable stable stable These point to objects present in the Software Heritage archive by the means of persistent identifiers that are guaranteed to remain stable (persistent) over time. stable stable To be used when SPDXRef-A amends the SPDX information in SPDXRef-B. stable A Relationship of relationshipType_ancestorOf expresses that an SPDXElement is an ancestor of (same lineage but pre-dates) the relatedSPDXElement. For example, an upstream File is an ancestor of a modified downstream File stable Is to be used when SPDXRef-A is a build dependency of SPDXRef-B. stable To be used when SPDXRef-A is used to to build SPDXRef-B. stable A Relationship of relationshipType_containedBy expresses that an SPDXElement is contained by the relatedSPDXElement. For example, a File contained by a Package. stable A Relationship of relationshipType_contains expresses that an SPDXElement contains the relatedSPDXElement. For example, a Package contains a File. (relationshipType_contains introduced in SPDX 2.0 deprecates property 'hasFile' from SPDX 1.2) stable A Relationship of relationshipType_copyOf expresses that the SPDXElement is an exact copy of the relatedSDPXElement. For example, a downstream distribution of a binary library which was copied from the upstream package. stable Is to be used when SPDXRef-A is a data file used in SPDXRef-B. Replaced by relationshipType_dataFileOf true deprecated Is to be used when SPDXRef-A is a data file used in SPDXRef-B. stable Is to be used when SPDXRef-A is a manifest file that lists a set of dependencies for SPDXRef-B. stable Is to be used when SPDXRef-A is dependency of SPDXRef-B. stable Is to be used when SPDXRef-A depends on SPDXRef-B. stable A Relationship of relationshipType_descendantOf expresses that an SPDXElement is a descendant of (same lineage but post-dates) the relatedSPDXElement. For example, an downstream File that was modified is a descendant of an upstream File stable Is to be used an SPDXRef-A is described by SPDXRef-Document. stable Is to be used when SPDXRef-DOCUMENT describes SPDXRef-A. stable Is to be used when SPDXRef-A is a development dependency of SPDXRef-B. stable Is to be used when SPDXRef-A is a development dependency of SPDXRef-B. stable A Relationship of relationshipType_distributionArtifact expresses that distributing the SPDXElement requires that the relatedSPDXElement also be distributed. For example, distributing a binary File may require that a source tarball (another File) be made available with the distribuiton. stable To be used when SPDXRef-A provides documentation of SPDXRef-B. stable Is to be used when SPDXRef-A dynamically links to SPDXRef-B. stable Is to be used when SPDXRef-A is an example of SPDXRef-B. stable A Relationship of relationshipType_expandedFromArchive expresses that the SPDXElement is a file which was epanded from a relatedSPDXElement file. For example, if there is an archive file xyz.tar.gz containing a file foo.c the archive file was expanded in a directory arch/xyz, the file arch/xyz/foo.c would have a relationshipType_expandedFromArchive with the file xyz.tar.gz. stable A Relationship of relationshipType_fileAdded expresses that the SPDXElement is a file which has been added to the relatedSPDXElement package. For example, a package (the relatedSPDXElement) has been patched to remove a file (the SPDXElement). This relationship is typically used to express the result of a patched package when the actual patchfile is not present. stable A Relationship of relationshipType_fileDeleted expresses that the SPDXElement is a package where the relatedSPDXElement file has been removed. For example, a package has been patched to remove a file a file (the relatedSPDXElement resulting in the patched package (the SPDXElement). This relationship is typically used to express the result of a patched package when the actual patchfile is not present. stable A Relationship of relationshipType_fileModified expresses that the SPDXElement is a file which is a modified version of the relatedSPDXElement file. For example, a file (the SPDXElement) has been patched to modify the contents of the original file (the SPDXElement). This relationship is typically used to express the result of a patched package when the actual patchfile is not present. stable A Relationship of relationshipType_generatedFrom expresses that an SPDXElement was generated from the relatedSPDXElement. For example, a binary File might have been generated from a source File. stable A Relationship of relationshipType_generates expresses that an SPDXElement generates the relatedSPDXElement. For example, a source File generates a binary File. stable Is to be used when SPDXRef-A has as a prerequisite SPDXRef-B. stable To be used when SPDXRef-A is a metafile of SPDXRef-B. stable To be used when SPDXRef-A is an optional component of SPDXRef-B. stable Is to be used when SPDXRef-A is an optional dependency of SPDXRef-B. stable to be used for a relationship which has not been defined in the formal SPDX specification. A description of the relationship should be included in the Relationship comments field. stable To be used when SPDXRef-A is used as a package as part of SPDXRef-B. stable A Relationship of relationshipType_patchApplied expresses that the SPDXElement is a 'patchfile' that was applied and produced the relatedSPDXElement. For example, a .diff File relates to a specific file where the diff was applied. stable A Relationship of relationshipType_patchFor expresses that the SPDXElement is a 'patchfile' that is designed to patch (apply modifications to) the relatedSPDXElement. For example, relationship from a .diff File to a Package it is designed to patch. stable Is to be used when SPDXRef-A is a prerequisite for SPDXRef-B stable Is to be used when SPDXRef-A is a to be provided dependency of SPDXRef-B. stable Is to be used when SPDXRef-A describes, illustrates, or specifies a requirement statement for SPDXRef-B. stable Is to be used when SPDXRef-A is a dependency required for the execution of SPDXRef-B. stable Is to be used when SPDXRef-A describes, illustrates, or defines a design specification for SPDXRef-B. stable Is to be used when SPDXRef-A statically links to SPDXRef-B. stable Is to be used when SPDXRef-A is a test dependency of SPDXRef-B. stable Is to be used when SPDXRef-A is used for testing SPDXRef-B. stable Is to be used when SPDXRef-A is used as a test tool for SPDXRef-B. stable Is to be used when SPDXRef-A is a test case used in testing SPDXRef-B. stable A Relationship of relationshipType_variantOf expresses that an SPDXElement is a variant of the relatedSPDXElement, but it is not clear which came first. For example, if the content of two Files differs by some edit, but there is no way to tell which came first (no reliable date information), then one File is a variant of the other File. stable 1 This property has been deprecated since SPDX version 2.0. It has been replaced by an Annotation with an annotation type review. Reviewed deprecated true