SPDX 2.2 Specification Released
Kate Stewart | 07 May 2020
The SPDX technical community is delighted to announce that the 2.2 version of the specification has been released! We started working on the first version of the SPDX specification 10 years ago, and it has continued to improve and evolve to support the automation of more software bill of materials information over the years. This release incorporates a significant amount of input from our tooling and user communities to enable new use cases to be better represented.
Some of the highlights for this release include:
- Updated Charter to broaden applicable scenarios that SPDX documents can be used to represent that have been requested by users, and align with NTIA SBOM efforts.
- Extended the valid file formats that can be used to represent an SPDX document to include JSON, YAML, and a development version of XML. A set of example documents illustrating use of these formats can be found in v2.2/examples
- Extended Relationships by addition of 13 new relationship types requested from tool creators (mostly to represent dependencies), as well as support for relationships to NOASSERTION or NONE as a way to indicate “known unknown” and “no relationships” respectively.
- Added new fields to Packages, Files, and Snippets to capture “Attribution text”.
- Extended Appendix VI: Appendix VI: External Repository Identifiers to include support for PURL (Package URLs) and SWHIDs (Software Heritage Persistent Identifiers).
- Added Appendix VIII: SPDX Lite as a first recognized SPDX profile. This subset of SPDX 2.2 originated from the use cases that the OpenChain Japan workgroup highlighted. They created it to be able to accept basic information from their suppliers who were not able to generate full SPDX documents with all optional fields.
- Added Appendix IX: SPDX File Tags to enable use of file-specific information from SPDX defined fields in source code as supported by Version 3.0 of the REUSE Software Specification.
- Updated Appendix V: Using SPDX License List short identifiers in Source Files to include support for use of LicenseRef- identifiers, to express custom identifiers for licenses that are not on the SPDX License List. This has been coordinated with Version 3.0 of the REUSE Software Specification to enable projects to provide a standardized format that can optionally be used for providing the corresponding license text for these identifiers.
- Updated Appendix II: License Matching Guidelines to allow embedded rules within optional rules for generated SPDX license templates.
- Updated Appendix IV: SPDX License Expressions to add some clarification on the case sensitivity of license expressions and handling of multi-line license expressions.
- Updated Appendix I: License List to now reference version 3.8.
- And numerous formatting, grammatical, and spelling fixes that escaped our reviewers in version 2.1.1
The project members would like to thank our recent contributors to this release, who have enriched it with their new perspectives, as well as our ongoing participants. A full list of those who have contributed by participating in the many discussions, adding comments, and making suggestions for improvements to the SPDX specification as it’s evolved over the last 10 years can be found at the Credits page!
Cloud Computing Compliance and Security Projects Linux How-To Diversity & Inclusion Open Source Best Practices 2022 Events Cross Technology Training and Certification LFX Open Source Blockchain Research Legal Networking and Edge Data Governance Green Software Foundation LF Energy LF Research OpenChain System Administration