SPDX
Definition
SPDX (Software Package Data Exchange) is an open standard for communicating software bill of materials (SBOM) information, including metadata about software components, licenses, and security vulnerabilities. It is designed to improve transparency and facilitate compliance with open source licenses by providing a standardized format for documenting the contents and licensing of software packages. SPDX files can be used to track the origin and licensing of software components, making it easier to manage legal and security risks associated with software supply chains.
Secure Settings Example
# SPDX Document for a software package
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: ExampleProject
DocumentNamespace: http://spdx.org/spdxdocs/exampleproject-1.0
Creator: Tool: SPDX-Tools-2.1
Created: 2023-10-01T12:00:00Z
# Package information
PackageName: ExampleLibrary
SPDXID: SPDXRef-Package-ExampleLibrary
PackageVersion: 1.0.0
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: true
Insecure Settings Example
# SPDX Document with incomplete and incorrect information
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: IncompleteProject
DocumentNamespace: http://spdx.org/spdxdocs/incompleteproject-1.0
Creator: Tool: SPDX-Tools-2.1
Created: 2023-10-01T12:00:00Z
# Package information with missing license data
PackageName: IncompleteLibrary
SPDXID: SPDXRef-Package-IncompleteLibrary
PackageVersion: 1.0.0
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false