What Is SPDX and How Does It Work? | Synopsys
Go Back
By Industry
By Technology
Synopsys Cloud
Synopsys Cloud

Cloud native EDA tools & pre-optimized hardware platforms

Request a Free Evaluation →
Synopsys Cloud Insights
Cloud Insights

Insights & answers to help you familiarize yourself with the best cloud solution for EDA

Explore →
View All Solutions →
Explore Silicon Design & Verification

Synopsys is a leading provider of electronic design automation solutions and services.

Families
Optical Design
Photonic Design
Design
3D Image Processing
Verification
Modeling & Simulation
Silicon Engineering
Try Synopsys Cloud
Synopsys Cloud

Unlimited access to EDA software licenses on-demand

Free Evaluation →
Explore Silicon IP

Synopsys is a leading provider of high-quality, silicon-proven semiconductor IP solutions for SoC designs.

Interface IP
Processor IP
Analog IP
Memories & Libraries
SoC Architecture
Security IP
SoC Infrastructure IP
IP Accelerated
IP Markets
Synopsys IP Portfolio Cover
Synopsys IP Portfolio
Download Brochure →
Synopsys IP Technical Bulletin
Read Latest Issue →
Explore Application Security

Synopsys helps you protect your bottom line by building trust in your software—at the speed your business demands.

Integrated AppSec Solutions
Software Risk Analysis
AppSec Program Services
2022 Gartner® Magic Quadrant™ for Application Security Testing
2022 Gartner® Magic Quadrant™ for Application Security Testing
Download Now →
View All Products →
Company Overview
Resources
SNUG 2023 | Synopsys
SNUG 2023

Call for Content is Now Open!

Apply Now! →
Synopsys Job Search Thumbnail
Pursue Your Passion

Start Your Job Search

Apply Now →
Table of Contents

Definition

Software Package Data Exchange (SPDX) is an open standard (or format) for communicating software Bill of Materials (SBOM) information including components, licenses, copyrights, and security references. Using a standardized format for presenting this information ensures that it consistent across industries and companies, which helps reduce reformatting efforts, makes it easier to share information, and streamlines compliance activities.

How does SPDX work?

Companies adopt SPDX to seamlessly communicate data about the components, licenses, and copyrights associated with their software packages. Giving and receiving information about software “ingredients” is made simple by the use of a standardized and machine-readable format. 

Who uses SPDX?

Anyone can use it. Currently, its adoption is growing with both open source projects and organizations creating commercial software. With the increased standards around supply chain security resulting from President Biden’s executive order last year, adoption has continued to increase. SPDX is particularly useful for organizations that build software or operate enterprise software.

<p>Learn how to identify the weak points in your software supply chain, and what tools and practices are necessary to address them. </p>

Your Recipe for an Actionable SBOM

Learn how to identify the weak points in your software supply chain, and what tools and practices are necessary to address them. 

Download the eBook

What are the benefits of using SPDX?

SPDX includes information that identifies the software package, the package level, and the file level licensing and copyright data. It also shows who created the file, and when and how. This information is critical for security and license compliance activities and requirements. Standard formatting also makes it easier to select standardized tooling, which makes security processes more efficient. 

Fitting SPDX in the SBOM composition | Synopsys

Why is SPDX important?

SPDX resolves requirements in EO 14028 pertaining to a software Bill of Materials. It provides a specific file format that identifies the software components within larger pieces of software and the licenses associated with their components.

More generally, SPDX also helps resolve common challenges.

  • SPDX addresses the licensing complications that can arise from the use of software and binaries received from suppliers.
  • SPDX eliminates the need to create customized SBOMs. With a standardized format, everyone creates consistent documents, so there’s no need to spend time and effort reformatting.
  • SPDX removes the need to define and create SBOM formats for both suppliers and consumers of software, freeing up resources and bandwidth.

What is an SBOM generator?

SBOM generators are tools that can identify and inventory all software components within an application and produce them in a report (an SBOM). This report is formatted to comply with NTIA requirements. 

How can Synopsys help?

Black Duck® is a multifactor open source scanning technology that provides the most complete and accurate view of open source in applications and containers. Our open source detection combines build process monitoring and file system scanning to track all open source in use, including components most solutions miss.

Black Duck is now making it easier for users to secure the software supply chain with an update to its SBOM export utility. The utility exports SPDX 2.2 and ISO standard ISO/IEC 5962:2021, which populates the fields necessary to comply with NIST standards, as referenced in Executive Order 14028. 

Related SBOM content

Blog

See how to build an SBOM in minutes

Read the blog post
eBook

Cheat Sheet: Your Recipe for an Actionable SBOM

Read the eBook
Guide

Securing Your Software Supply Chain: A Solution Guide

Read the guide
Video

Methods and tools for SBOM generation

Watch the video