Safeguard
Software Supply Chain Security

SPDX

What is SPDX? A plain-English guide to the ISO-standard SBOM and license format that documents what's really inside your software.

Marina Petrov
Compliance Analyst
7 min read

SPDX (Software Package Data Exchange) is an open, ISO/IEC 5962:2021-standardized format for documenting the components, licenses, copyrights, and relationships inside a piece of software. So what is SPDX, in practical terms? It's the file format most commonly used to produce a Software Bill of Materials (SBOM)—a structured inventory that lists every package, library, and dependency bundled into an application, along with metadata like version numbers, checksums, and license identifiers. Originally developed by the Linux Foundation to solve open-source license compliance headaches, SPDX has since become one of the two dominant SBOM standards (alongside CycloneDX) referenced in U.S. federal procurement rules, EU Cyber Resilience Act guidance, and enterprise vendor security questionnaires. It exists so that anyone downstream—a security team, an auditor, a customer—can answer the question "what exactly is in this software, and can I legally and safely use it?" without reverse-engineering the build.

What Is SPDX Used For?

SPDX is used to create a machine-readable record of a software package's contents so that license compliance, vulnerability tracking, and provenance verification can happen automatically instead of manually. Before SBOM standards existed, companies shipping software built on open source often had no reliable way to answer "does our product contain any GPL-licensed code that triggers copyleft obligations?" Legal teams would manually audit source trees, a process that could take weeks for a large codebase and was obsolete the moment a new dependency was added.

A concrete example: when a healthcare software vendor acquires a smaller company's codebase, due diligence typically requires proving that no component carries a license incompatible with the acquirer's commercial distribution model. An SPDX document generated from that codebase lists every package (say, a JSON parsing library under MIT, a compression utility under Apache-2.0, and a UI framework under LGPL-3.0), letting legal and security teams flag the LGPL component for review in minutes rather than searching thousands of files for license headers.

What Is the SPDX License Format and Why Does It Matter?

The SPDX license format is a standardized list of short identifiers—like MIT, Apache-2.0, GPL-3.0-only, or BSD-3-Clause—that map to a canonical, machine-parseable representation of each license's exact text and terms. Before this format existed, the same license might appear in source files with slightly different wording, formatting, or even typos, making automated matching unreliable. The SPDX License List, maintained and versioned by the Linux Foundation, currently catalogs several hundred licenses and exceptions, each with a stable short identifier that tools can match exactly.

This matters because the license format also supports license expressions—boolean combinations like (MIT OR Apache-2.0) for dual-licensed code, or GPL-2.0-or-later WITH Classpath-exception-2.0 for licenses with carve-outs. A real-world case: OpenJDK's Classpath exception modifies GPL obligations specifically so that linking against Java's standard library doesn't force downstream applications into GPL terms. Without a standardized expression syntax, an automated compliance scanner would either misclassify this as pure GPL (blocking legitimate commercial use) or miss the exception entirely (creating real legal exposure). The SPDX license format encodes that nuance precisely.

What Does an SPDX SBOM Standard Document Actually Contain?

An SPDX SBOM standard document contains four core categories of information: package identification, licensing data, relationships between components, and provenance/verification data like cryptographic hashes. At the package level, each entry typically includes a name, version, supplier, download location, and a checksum (usually SHA-1 or SHA-256) that lets a consumer verify the exact bits they received match what the document describes.

The relationships section is what makes SPDX genuinely useful for supply chain analysis rather than just a flat parts list. It captures dependency graphs—which package DEPENDS_ON which, which file was GENERATED_FROM which source, which package CONTAINS which sub-component. Consider a Node.js application: a top-level package.json might declare 30 direct dependencies, but transitive resolution often pulls in 800-1,200 total packages. An SPDX document generated by a tool like syft or the SPDX SBOM tool captures that entire transitive graph, so when a vulnerability like the 2021 Log4Shell flaw surfaces in a deeply nested dependency, teams can query the SBOM to find every affected build instantly instead of manually walking dependency trees across dozens of repositories.

SPDX documents can be expressed in several serializations—tag-value (a simple key-value text format), RDF/XML, JSON, YAML, and spreadsheet formats—with JSON now the most common for tooling interoperability, especially since SPDX 2.3 and the newer SPDX 3.0 model expanded support for AI/ML model metadata and build provenance alongside traditional package data.

SPDX vs CycloneDX: Which SBOM Standard Should You Use?

In the SPDX vs CycloneDX comparison, the practical difference is one of origin and emphasis: SPDX evolved from license-compliance tooling and excels at detailed licensing and legal metadata, while CycloneDX was built by the OWASP community with a security-first focus on vulnerability correlation and lightweight component tracking. Both are legitimate NTIA-recognized SBOM formats, both support JSON, and both are accepted by major SBOM consumers, but they optimize for different primary use cases.

In practice, many organizations end up producing both. A software vendor selling into government contracts might generate an SPDX SBOM to satisfy procurement requirements referencing ISO/IEC 5962, while simultaneously generating a CycloneDX document because their vulnerability scanning pipeline (many of which grew up around CycloneDX's VEX—Vulnerability Exploitability eXchange—extension) consumes that format natively. The good news is that mature SBOM tooling, including most modern SCA (software composition analysis) scanners, can export both formats from a single build analysis, so choosing one doesn't necessarily mean abandoning the other's ecosystem benefits.

How Did Software Package Data Exchange Become an Industry Standard?

Software Package Data Exchange became a formal industry standard through a decade-long process that moved it from a Linux Foundation working group project to an accredited ISO/IEC international standard. The project launched in 2010, addressing a problem the Linux Foundation observed repeatedly: companies distributing Linux-based products struggled to track open-source license obligations across thousands of bundled packages, and no shared vocabulary existed for describing that data consistently between vendors, distributors, and customers.

SPDX reached version 2.0 in 2015, adding richer relationship and snippet-level licensing support (useful when a single file contains code under multiple licenses). The format's biggest inflection point came after the U.S. Executive Order 14028 on cybersecurity (May 2021), which directed NTIA to define minimum SBOM elements—SPDX and CycloneDX were both identified as formats satisfying those elements. In 2021, SPDX was formally published as ISO/IEC 5962:2021, giving it standing as an internationally recognized standard rather than just an industry convention, which accelerated adoption in regulated sectors like healthcare, finance, and defense contracting where ISO-certified processes are often a procurement prerequisite.

How Safeguard Helps

Safeguard treats SBOM generation and validation as a continuous supply chain security control, not a point-in-time compliance artifact. When code moves through your pipeline, Safeguard automatically generates SPDX-compliant SBOMs (alongside CycloneDX where needed) for every build, capturing the full transitive dependency graph, license expressions, and cryptographic checksums described above—so you're never reconstructing this data manually during an audit or customer security review.

Beyond generation, Safeguard continuously cross-references SBOM contents against vulnerability feeds and license policy rules you define, flagging newly disclosed CVEs in existing dependencies and surfacing license conflicts (like an unexpected copyleft component) before they reach production. Because Safeguard tracks provenance alongside the SBOM itself—build environment, source commit, signing attestations—teams get not just an inventory of what's inside their software, but verifiable proof of where each component came from and whether it's been tampered with since. That combination turns SPDX from a compliance checkbox into an operational tool your security team actually uses to reduce real supply chain risk.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.