SPDX is an ISO/IEC 5962:2021 standard developed by the Linux Foundation to create a universal format for Software Bill of Materials (SBOM) data. It standardizes how metadata about software components—including their origin, licensing information, and known vulnerabilities—is shared across organizations and tools, enabling automated compliance and supply chain transparency.
Glossary
SPDX

What is SPDX?
SPDX (Software Package Data Exchange) is an open, machine-readable standard for communicating a Software Bill of Materials, capturing component details, licenses, copyrights, and security references.
The specification defines a structured data model that maps relationships between files, packages, and snippets. By providing a common vocabulary for license identifiers and security references like Vulnerability Exploitability eXchange (VEX) data, SPDX allows DevSecOps pipelines to programmatically verify the provenance and integrity of every dependency, reducing legal risk and accelerating vulnerability triage.
Key Features of SPDX
SPDX (Software Package Data Exchange) provides a machine-readable format for communicating the components, licenses, copyrights, and security references of software. It is the ISO/IEC 5962:2021 standard for creating Software Bills of Materials (SBOMs).
Standardized License Identification
SPDX defines a canonical License List with standardized identifiers (e.g., MIT, Apache-2.0, GPL-3.0-only). This eliminates ambiguity in license declaration by replacing free-text descriptions with precise, machine-readable short-form IDs. Each identifier maps to a specific legal text, enabling automated license compliance checks across complex dependency graphs without manual legal review.
Relationship and Dependency Mapping
SPDX documents explicitly model the relationships between software components using a defined vocabulary. Key relationship types include:
- CONTAINS: A package contains a sub-package
- DEPENDS_ON: A package requires another to function
- DYNAMIC_LINK: Runtime linking to a shared library
- GENERATED_FROM: Source code that produced a binary This graph-based approach enables transitive vulnerability analysis and full supply chain transparency.
Security Vulnerability References
SPDX 2.2+ supports external security references, allowing an SBOM to directly link components to known vulnerabilities. An SPDX document can reference:
- CVE (Common Vulnerabilities and Exposures) identifiers
- GHSA (GitHub Security Advisories)
- VEX (Vulnerability Exploitability eXchange) statements This integration enables automated security scanning tools to correlate SBOM data with vulnerability databases, dramatically reducing the time to identify affected components during a zero-day event.
ISO/IEC 5962:2021 International Standard
SPDX was formally adopted as an international standard by ISO/IEC JTC 1 in 2021. This standardization ensures:
- Interoperability: Tools from different vendors can consume and produce SPDX documents consistently
- Regulatory Acceptance: Governments and regulated industries can mandate SPDX as a compliance requirement
- Long-term Stability: The specification evolves through a formal, community-driven governance process under the Linux Foundation The standard supports multiple serialization formats including JSON, YAML, RDF/XML, and tag:value flat text.
Package Verification Codes
SPDX defines a deterministic Package Verification Code algorithm for generating a checksum that uniquely identifies the contents of a software package. This code is computed by:
- Sorting all file paths in the package alphabetically
- Computing a SHA1 hash for each file
- Concatenating all hashes and computing a final SHA1 This mechanism enables reproducible build verification and tamper detection, allowing downstream consumers to confirm that a received artifact matches the declared SBOM exactly.
NTIA Minimum Elements Compliance
SPDX is one of the three SBOM formats explicitly recognized by the U.S. National Telecommunications and Information Administration (NTIA) as meeting the minimum elements for an SBOM. These mandatory fields include:
- Supplier Name: The entity creating the component
- Component Name: The software name
- Version String: The specific version identifier
- Unique Identifier: A globally unique reference
- Dependency Relationship: Upstream and downstream linkages
- Author: The SBOM document creator
- Timestamp: When the SBOM was generated This alignment makes SPDX the preferred format for U.S. federal procurement compliance under Executive Order 14028.
Frequently Asked Questions
Clear, technical answers to the most common questions about the Software Package Data Exchange (SPDX) standard and its role in modern AI supply chain security.
SPDX (Software Package Data Exchange) is an open, machine-readable standard for communicating a Software Bill of Materials (SBOM). It works by providing a standardized data format—typically expressed as a tag-value file, JSON, YAML, or RDF/XML—that uniquely identifies every software component, its associated license, copyright holder, and known security vulnerability references. The standard, governed by the Linux Foundation, creates a common language for tools and organizations to share component metadata across the supply chain. An SPDX document captures the 'what' and 'who' of a codebase: it lists each package, file, and snippet, assigns a globally unique SPDX Identifier, and maps the complex relationships between them using defined relationship types like CONTAINS, DEPENDS_ON, and GENERATED_FROM. This deterministic structure allows automated compliance tools to instantly audit a product for license compatibility or flag a component with a critical CVE, replacing manual, error-prone spreadsheet audits.
SPDX vs. CycloneDX vs. SWID
A technical comparison of the three primary standards for generating and consuming Software Bill of Materials (SBOM) data, focusing on their data models, use cases, and adoption contexts.
| Feature | SPDX | CycloneDX | SWID |
|---|---|---|---|
Primary Focus | License compliance and comprehensive software metadata | Application security and vulnerability management | Software asset management and inventory tracking |
Originating Body | Linux Foundation | OWASP | ISO/IEC (19770-2) |
Data Format | JSON, YAML, RDF, tag/value, spreadsheet | JSON, XML, Protocol Buffers | XML (CoSWID for CBOR/JSON) |
License Expression Standard | |||
Vulnerability Integration | |||
Cryptographic Signing Support | |||
Package URL (purl) Native Support | |||
Relationship Graph Depth | Full dependency graph with CONTAINS, DEPENDS_ON, GENERATES | Compositional hierarchy with dependencies | Flat inventory, minimal relational semantics |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
SPDX is a foundational standard within the broader software supply chain security landscape. These related terms represent the complementary specifications, frameworks, and concepts that work alongside SPDX to establish end-to-end artifact integrity and transparency.
Software Bill of Materials (SBOM)
A formal, machine-readable inventory that catalogs every component, library, and dependency within a software artifact. SPDX is the ISO/IEC 5962:2021 standard for representing an SBOM. An SBOM enables precise vulnerability management by mapping known CVEs to specific transitive dependencies, eliminating the guesswork from incident response. The U.S. Executive Order 14028 mandates SBOMs for federal software procurement.
Vulnerability Exploitability eXchange (VEX)
A standardized security advisory that lets software suppliers declare the exploitability status of a specific CVE in a specific product. VEX eliminates the flood of false positives that occur when an SBOM flags a vulnerable component that isn't actually exploitable due to how it's used. Key statuses include:
- Not Affected — component present but vulnerability unreachable
- Affected — remediation required
- Fixed — patch applied
- Under Investigation — analysis ongoing
Software Composition Analysis (SCA)
An automated process for identifying and cataloging open-source components within a codebase. SCA tools consume SPDX and CycloneDX SBOMs to cross-reference component inventories against vulnerability databases like NVD and GitHub Advisory Database. Modern SCA goes beyond CVE matching to analyze license compatibility, code quality metrics, and dependency freshness — providing a continuous compliance posture for the entire software portfolio.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us