SPDX

Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material (SBOM) information, including provenance, components, licenses, copyrights, and security references. SPDX reduces redundant work by providing common formats for organizations, companies and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.

• 1. Category
• 1.1. Specification
• 1.2. License List
• 2. References

1. Category

1.1. Specification

The SPDX Specification is a standard format for communicating the components, licenses and copyrights associated with software packages.

The SPDX standard helps facilitate compliance with free and open source software licenses by standardizing the way license information is shared across the software supply chain. SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses and copyrights, thereby streamlining and improving compliance.

1.2. License List

The SPDX License List is an integral part of the SPDX Specification. The SPDX License List is a list of commonly found licenses and exceptions used in free and open or collaborative software, data, hardware, or documentation. The purpose of the SPDX License List is to enable efficient and reliable identification of licenses and exceptions in an SPDX document, in files in general, source files or objects. The SPDX License List includes a standardized short identifier, full name, vetted license text including matching guidelines markup as appropriate, and a canonical permanent URL for each license and exception.

2. References

• Sentenz licenses article.
• Sentenz license guide article.
• SPDX tools article.
• GitHub SPDX license list repository.
• GitHub SPDX license dataset repository.