{"id":44740559,"url":"https://github.com/spdx/spdx-3-model","last_synced_at":"2026-02-15T20:36:03.998Z","repository":{"id":37088341,"uuid":"418272793","full_name":"spdx/spdx-3-model","owner":"spdx","description":"The model for the information captured in SPDX version 3 standard.","archived":false,"fork":false,"pushed_at":"2026-02-10T17:33:32.000Z","size":52070,"stargazers_count":97,"open_issues_count":132,"forks_count":62,"subscribers_count":21,"default_branch":"develop","last_synced_at":"2026-02-10T21:19:54.743Z","etag":null,"topics":["bill-of-materials","linux-foundation","ontology","sbom","software-bill-of-materials","software-package-data-exchange","software-transparency","spdx","spdx-sbom"],"latest_commit_sha":null,"homepage":"https://spdx.dev/use/specifications/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spdx.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"Contributing.md","funding":null,"license":"License.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":"Governance.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":"CLA.md"}},"created_at":"2021-10-17T22:37:45.000Z","updated_at":"2026-02-10T17:33:37.000Z","dependencies_parsed_at":"2026-01-08T18:06:09.192Z","dependency_job_id":null,"html_url":"https://github.com/spdx/spdx-3-model","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/spdx/spdx-3-model","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-3-model","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-3-model/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-3-model/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-3-model/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spdx","download_url":"https://codeload.github.com/spdx/spdx-3-model/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-3-model/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29488726,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-15T19:29:10.908Z","status":"ssl_error","status_checked_at":"2026-02-15T19:29:10.419Z","response_time":118,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","linux-foundation","ontology","sbom","software-bill-of-materials","software-package-data-exchange","software-transparency","spdx","spdx-sbom"],"created_at":"2026-02-15T20:36:03.332Z","updated_at":"2026-02-15T20:36:03.993Z","avatar_url":"https://github.com/spdx.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# SPDX 3 model\n\nThe System Package Data Exchange® (SPDX®) is a standard format for\ncommunicating information about components associated with systems.\n\nComponents can include software, AI/ML models and dataset.\nMore component types that make up modern systems are planned to be included in\nsubsequent releases. See [scope](scope.md).\n\nThe prior version of this format was focused on Software, is an ISO/IEC\nstandard ([ISO/IEC 5962:2021](https://www.iso.org/standard/81870.html)) and has\nwide industry adoption as a standardized Software Bill of Materials (SBOM).\nAll use cases supported by the prior version are supported here as well.\n\nThis repository holds the model for the information captured in SPDX version 3\nstandard.\n\nTranslations of the information model may be available.\nEnglish remains the normative language in all cases.\n\n## Table of contents\n\n- [Branch structure](#branch-structure)\n- [Formats](#formats)\n- [Model](#model)\n  - [Profiles](#profiles-of-the-model)\n- [Serialization and validation](#serialization-and-validation)\n- [Change log](#change-log)\n- [Glossary](#glossary)\n- [Contribute](#contribute)\n\n## Branch structure\n\nThe SPDX 3 model repo follows the\n[Gitflow](https://gist.github.com/HeratPatel/271b5d2304de2e2cd1823b9b62bf43e0)\nworkflow with the addition of support branches.\n\nThe branches in use are:\n\n- `main` - This will always be the latest released specification.\n- `develop` - This branch will be where the active development for the next\n  major or minor version takes place.\n  Once released, the `develop` branch will be merged into the `main` branch.\n- `support/x.y` - These branches will be long-lived and contain any updates to\n  a minor version of the specification.\n  Additions such as translations can be added to the support branch.\n  `x.y` represents the MAJOR.MINOR version, following Semantic Versioning\n  (SemVer) conventions.\n  Once any changes are accepted and released, the support branch will be tagged\n  and merged into both `develop` and `main` branches.\n- General feature or fix branches - there may be feature branches made for\n  specific enhancements or fixes to the spec.\n  These will be short-lived and merged into either a `support` branch or the\n  `develop` branch.\n\n## Formats\n\nThe editable files inside `model/` directory are written in a\n[constrained subset of Markdown][format],\nwith specific headings for specific types of information,\nand are stored in the `main` branch.\n\nTextual description of these model files\n[can be translated][translation] into other natural languages.\n\nThe editable files are automatically processed by\n[spec-parser](https://github.com/spdx/spec-parser/)\nand the following are generated:\n\n- Input for [MkDocs](https://www.mkdocs.org/), which then generates the\n  [specification](https://spdx.github.io/spdx-spec/v3.1-dev/)\n- [JSON-LD context](http://niem.github.io/json/reference/json-ld/context/)\n  file: [spdx-context.jsonld](https://spdx.github.io/spdx-spec/v3.1-dev/rdf/spdx-context.jsonld)\n- Model [SHACL](https://en.wikipedia.org/wiki/SHACL) and\n  [OWL](https://www.w3.org/OWL/) files:\n  - [Turtle format](https://en.wikipedia.org/wiki/Turtle_(syntax)):\n    [spdx-model.ttl](https://spdx.github.io/spdx-spec/v3.1-dev/rdf/spdx-model.ttl)\n  - [JSON-LD format](https://json-ld.org/):\n    [spdx-model.jsonld](https://spdx.github.io/spdx-spec/v3.1-dev/rdf/spdx-model.jsonld)\n\nPeople who wish to read the current version of the information\nshould be viewing the generated files, while anyone wanting to edit\nshould be working on the editable files.\n\nFor the specification content other than the model, they are in the\n[spdx-spec](https://github.com/spdx/spdx-spec/) repository.\n\n## Model\n\nThe SPDX model is described using profiles related to the software application.\nThe profiles are organized as sub-directories under the `model/` directory.\n\nThe model diagram is available in [model.drawio][model-diagram] file\nand in [`images/`](./images/) directory.\n\n\u003ca href=\"./images/\" title=\"Click to see more profile diagrams\" \u003e\u003cimg src=\"./images/model-Core.png\" alt=\"Core profile diagram\" height=\"120\" /\u003e\u003c/a\u003e\n\nNote:\n\n1. The ‘Licensing’ profile has three categories (sub-directories): ‘Licensing’,\n  ‘SimpleLicensing’, and ‘ExpandedLicensing’.\n2. The ‘extension’ namespace (sub-directory) provides for adding information\n  about the software application which is not otherwise covered under the SPDX\n  model.\n\n### Profiles of the model\n\n#### AI\n\nThe AI profile describes an AI component's capabilities for a specific system\n(domain, model type, industry standards). It details its usage within the\napplication, limitations, training methods, data handling, explainability, and\nenergy consumption.\n\n#### Build\n\nThe Build profile contains information about the build done for the software application.\nFields include build type URI (of toolchain, platform, or infrastructure),\nlocally unique build identifier assigned by the developer,\nentry point of creation of build, URI of the build configuration source if any,\ndigest of build configuration source if any, build parameters,\nstart time of the build, end time of the build,\nand the system’s environment variables at the time of the build.\n\n#### Core\n\nThe Core profile describes the foundational classes and properties that are\nused by all profiles of the SPDX model.\n\n#### Dataset\n\nThe Dataset profile describes a dataset's core aspects (type, size, collection\nmethod), access method, preparation (preprocessing, noise handling), intended\nuse (e.g. hardware calibration, machine learning), and related considerations\n(data quality and privacy).\n\n#### Licensing\n\nThe Licensing profile describes the aspects of licensing for the software\napplication under three categories (sub-directories) -\nLicensing, SimpleLicensing, and ExpandedLicensing.\n\n- Licensing describes information about declared licenses and concluded\n  (detected) licenses.\n- SimpleLicensing describes information about text-formatted licenses.\n- ExpandedLicensing describes information about parseable and machine-readable\n  licenses.\n\n#### Lite\n\nThe SPDX Lite profile defines a subset of the SPDX specification for use cases\nand workflows in some industries.\n\n#### Security\n\nThe Security profile contains information about vulnerabilities and their\nassessments based on CVSS (versions 2, 3, and 4), EPSS, Exploit Catalog, SSVC,\nand VEX (affected, not affected, under investigation, and fixed categories).\n\n#### Software\n\nThe Software profile contains information about files, packages, SBOMs,\nsnippets, and artifacts of the software application.\n\n## Serialization and validation\n\nInformation about serialization of SPDX 3 documents can be found in the\n[Serialization information][sr-spec] section in the \"Model and serializations\"\nchapter of the SPDX specification.\n\nFor additional technical information about serialization,\nplease see [Notes on serialization][sr-notes].\n\nFor information about the validation of SPDX 3 JSON documents,\nusing JSON Schema and the SHACL model,\nplease see [Validating SPDX 3 JSON Documents][validate-spdx3].\n\n## Change log\n\nSee [CHANGELOG.md](CHANGELOG.md) for changes between versions.\n\n## Glossary\n\nSee [glossary][glossary] for definitions and explanations of terms used throughout the specification.\n\n## Contribute\n\nFor information about how to contribute to a specific profile,\nplease see [Contributing.md](Contributing.md).\n\nFeel free to join us and contribute!\n\nThe discussions are happening on the\n[spdx-tech mailing list][spdx-tech-list]\nand during our [regular meetings][meetings].\n\nAll the details are in: \u003chttps://spdx.dev/participate/tech/\u003e\n\n[format]: ./docs/format.md\n[translation]: ./docs/translation.md\n[model-diagram]: ./docs/model.drawio\n[sr-spec]: https://github.com/spdx/spdx-spec/blob/develop/docs/serializations.md#serialization-information\n[sr-notes]: ./serialization/README.md\n[validate-spdx3]: ./serialization/jsonld/validation.md\n[glossary]: ./docs/glossary.md\n[meetings]: https://github.com/spdx/meetings/\n[spdx-tech-list]: https://lists.spdx.org/mailman/listinfo/spdx-tech\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspdx%2Fspdx-3-model","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspdx%2Fspdx-3-model","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspdx%2Fspdx-3-model/lists"}