ISO/IEC DIS 5962

Information technology — SPDX® Specification V3.0

Scope

The System Package Data Exchange (SPDX) 3.0 is a standard for communicating bill of material information, including: software components; licenses, copyrights; security vulnerabilities, defects, and other quality data; software build information; artificial intelligence (AI) models; datasets; creator, supplier and distributor identity information; provenance and integrity; relationships between system elements; software usage and lifecycle; and mechanisms to enable annotating SPDX elements and linking between multiple SPDX Documents. SPDX reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance.