{"id":13532861,"url":"https://github.com/spdx/spdx-spec","last_synced_at":"2026-01-24T18:08:35.534Z","repository":{"id":37484089,"uuid":"90892520","full_name":"spdx/spdx-spec","owner":"spdx","description":"The System Package Data Exchange (SPDX) specification in Markdown and HTML formats.","archived":false,"fork":false,"pushed_at":"2025-03-11T10:21:47.000Z","size":106300,"stargazers_count":316,"open_issues_count":79,"forks_count":141,"subscribers_count":33,"default_branch":"develop","last_synced_at":"2025-03-24T05:16:54.350Z","etag":null,"topics":["bill-of-materials","licenses","linux-foundation","sbom","software-bill-of-materials","software-package-data-exchange","software-transparency","spdx","spdx-sbom","specification"],"latest_commit_sha":null,"homepage":"https://spdx.github.io/spdx-spec/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spdx.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-10T17:47:17.000Z","updated_at":"2025-03-15T20:24:40.000Z","dependencies_parsed_at":"2023-02-14T19:32:05.592Z","dependency_job_id":"66e7f39c-c21c-4886-aaeb-6c48555a7bdc","html_url":"https://github.com/spdx/spdx-spec","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-spec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-spec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-spec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spdx%2Fspdx-spec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spdx","download_url":"https://codeload.github.com/spdx/spdx-spec/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246713073,"owners_count":20821836,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","licenses","linux-foundation","sbom","software-bill-of-materials","software-package-data-exchange","software-transparency","spdx","spdx-sbom","specification"],"created_at":"2024-08-01T07:01:14.380Z","updated_at":"2026-01-24T18:08:35.527Z","avatar_url":"https://github.com/spdx.png","language":"Python","funding_links":[],"categories":["OSS and Dependency management","others"],"sub_categories":[],"readme":"# The System Package Data Exchange™ (SPDX®) Specification\n\nThe System Package Data Exchange™ (SPDX®) specification is an open standard\ndesigned to represent systems containing software components as\nSoftware Bill of Materials (SBOMs).\nAdditionally, SPDX supports AI, data, and security references,\nmaking it suitable for a wide range of risk management use cases.\n\nThe SPDX standard helps facilitate compliance with free and open source\nsoftware licenses by standardizing the way license information is shared across\nthe software supply chain. SPDX reduces redundant work by providing a common\nformat for companies and communities to share important data about software\nlicenses and copyrights, thereby streamlining and improving compliance.\n\nCurrent stable version:\n\n- The current stable specification is available at:\n  \u003chttps://spdx.github.io/spdx-spec/\u003e\n\nNext version (work in progress):\n\n- A preview of the next version, currently under active development, is\n  available at:\n  \u003chttps://spdx.github.io/spdx-spec/develop/\u003e\n  (This website is automatically updated with each commit to the `develop`\n  branch).\n\nTranslations of the specification may be available.\nEnglish remains the normative language in all cases.\n\n## Specification development\n\nThe specification comprised of documents located in the [`docs/`](./docs/)\ndirectory of this `spdx/spdx-spec` repository,\nas well as a model documentation generated from Markdown files within the\n[spdx/spdx-3-model](https://github.com/spdx/spdx-3-model/) repository.\n\nContributions, including translations, are welcome.\nContributions to this repository are made pursuant to the\n[SPDX Community Specification Contributor License Agreement 1.0][cla].\nPlease see the contributing guidelines, governance practices,\nand build instructions in the\n[related documents](#related-documents-and-repositories) section.\n\n[cla]: https://github.com/spdx/governance/blob/main/0._SPDX_Contributor_License_Agreement.md\n\n## Repository structure\n\nThis repository consists of these files and directories (partial):\n\n- `.github/workflow` - Workflow definitions.\n  - [`publish_v3.yml`](.github/workflows/publish_v3.yml)\n    The website (HTML) generation workflow.\n- `bin/` - Scripts for spec generation.\n- `docs/` - Specification content:\n  - `annexes/` - Annexes for the specification.\n  - `css/` - Style sheets for HTML.\n  - `front/` - Front matter.\n  - `images/` - Model diagrams. These image files are to be generated from a\n    diagram description file\n    [model.drawio](https://github.com/spdx/spdx-3-model/blob/develop/docs/model.drawio)\n    in the `spdx/spdx-3-model` repo and manually copied here.\n  - `licenses/` - Licenses that used by the SPDX specifications.\n  - `model/` - Model files. This subdirectory _is to be created_ by a script\n    from `spdx/spec-parser` repo, using model information from\n    `spdx/spdx-3-model` repo (see the [build instructions](./build.md)).\n- `examples/` - Examples of various SPDX serializations for the current version\n  of the spec.\n- `rdf/` - Model RDF files. These ontology files are generated from model\n  Markdown files in the `spdx/spdx-3-model` repo and manually copied here.\n- `mkdocs.yml` - MkDocs recipe for the spec documentation generation. The\n  inclusion of model files and the order of chapters are defined here.\n\n## Branch structure\n\nThe SPDX spec repo follows the [Gitflow][gitflow] workflow with the addition of support branches.\n\n[gitflow]: https://gist.github.com/HeratPatel/271b5d2304de2e2cd1823b9b62bf43e0\n\nThe branches in use are:\n\n- `main` - This will always be the latest released specification.\n- `develop` - This branch will be where the active development for the next\n  major or minor version takes place.\n  Once released, the `develop` branch will be merged into the `main` branch.\n- `support/x.y` - These branches will be long-lived and contain any updates to\n  a minor version of the specification.\n  `x.y` represents the MAJOR.MINOR version, following Semantic Versioning\n  (SemVer) conventions.\n  Once any changes are accepted and released, the support branch will be tagged\n  and merged into both `develop` and `main` branches.\n- General feature or fix branches - there may be feature branches made for\n  specific enhancements or fixes to the spec.\n  These will be short-lived and merged into either a `support` branch or the\n  `develop` branch.\n- `gh-pages` - This branch hosts generated HTML websites for all versions of\n  the specification. It is primarily managed by an automated workflow.\n\n## Related documents and repositories\n\n| Documentation | Link |\n|---------|------|\n| Changes between versions | [CHANGELOG.md](./CHANGELOG.md) |\n| Contributing guidelines | [CONTRIBUTING.md](./CONTRIBUTING.md) |\n| Building the specification website (for testing purpose) | [build.md](build.md) |\n| Governance practices | [spdx/governance](https://github.com/spdx/governance/) |\n| SPDX 3 model development | [spdx/spdx-3-model](https://github.com/spdx/spdx-3-model/) |\n| Model specification parser | [spdx/spec-parser](https://github.com/spdx/spec-parser/) |\n| How to use the specification | [spdx/using](https://github.com/spdx/using/) |\n| Use cases and scenarios | [spdx/spdx-examples](https://github.com/spdx/spdx-examples/) |\n| SPDX website, with more information about the specification | \u003chttps://spdx.org\u003e |\n| Official releases of the specification, including PDFs | \u003chttps://spdx.org/specifications\u003e |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspdx%2Fspdx-spec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspdx%2Fspdx-spec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspdx%2Fspdx-spec/lists"}