ISO/IEC 5962:2021
(Main)Information technology — SPDX® Specification V2.2.1
Information technology — SPDX® Specification V2.2.1
This Software Package Data Exchange® (SPDX®) specification defines a standard data format for communicating the component and metadata information associated with software packages. An SPDX document can be associated with a set of software packages, files or snippets and contains information about the software in the SPDX format described in this specification.
Technologies de l'information — Spécification SPDX® V2.2.1
General Information
- Status
- Published
- Publication Date
- 23-Aug-2021
- Technical Committee
- ISO/IEC JTC 1 - Information technology
- Drafting Committee
- ISO/IEC JTC 1 - Information technology
- Current Stage
- 9092 - International Standard to be revised
- Start Date
- 07-Jan-2026
- Completion Date
- 10-Jan-2026
Overview
ISO/IEC 5962:2021 - Information technology - SPDX® Specification V2.2.1 defines the SPDX (Software Package Data Exchange®) data model and standardized file formats for communicating metadata about software packages, files and code snippets. The standard specifies how to create an SPDX document (a Software Bill of Materials, or SBOM) that captures component identity, licensing, relationships and verification information in a consistent, machine-readable way.
Keywords: ISO/IEC 5962:2021, SPDX Specification V2.2.1, SPDX, SBOM, Software Bill of Materials, software supply chain, license compliance
Key topics and technical requirements
- Document composition and sections: defines required and optional sections such as document creation information, package information, file information, snippet information, licensing, relationships, annotations and review metadata.
- Conformance and profiles: describes conformance rules for current and previous SPDX versions, handling of obsolete features, and the SPDX Lite profile for minimal SBOM use cases.
- Field-level specifications: specifies essential fields used in SPDX documents, for example:
- SPDX version, document name, namespace and identifiers
- Data license and creator/created metadata
- Package fields (name, version, supplier/originator, download location, home page)
- File and snippet descriptors, file checksums and package verification codes
- Relationships between SPDX elements and other licensing information
- Standard data formats and serialization: defines how SPDX data is represented (the specification provides standardized notations and serialization options) and trademark compliance guidance.
- Traceability and verification: includes requirements for checksums and package verification codes aimed at enabling integrity checks and consistent provenance tracking.
Practical applications and users
- Software component inventory (SBOM): generating consistent SBOMs for internal asset management, procurement, and regulatory compliance.
- License compliance & legal review: automated detection and documentation of open-source license obligations and third-party component usage.
- Security and vulnerability management: mapping vulnerabilities to specific components and enabling rapid remediation across the software supply chain.
- Supply chain risk management & audits: auditors, compliance officers and security teams use SPDX documents to validate provenance and integrity.
- Tooling ecosystem: build, CI/CD, scanning and SBOM generation tools, package managers and vulnerability scanners implement the SPDX format to exchange component metadata.
Who uses it: software developers, DevOps engineers, security teams, license compliance/legal teams, SBOM tool vendors and auditors.
Related standards
- SPDX is commonly used alongside SBOM best practices and other SBOM formats (e.g., CycloneDX) to enable interoperable software supply-chain metadata exchange.
Frequently Asked Questions
ISO/IEC 5962:2021 is a standard published by the International Organization for Standardization (ISO). Its full title is "Information technology — SPDX® Specification V2.2.1". This standard covers: This Software Package Data Exchange® (SPDX®) specification defines a standard data format for communicating the component and metadata information associated with software packages. An SPDX document can be associated with a set of software packages, files or snippets and contains information about the software in the SPDX format described in this specification.
This Software Package Data Exchange® (SPDX®) specification defines a standard data format for communicating the component and metadata information associated with software packages. An SPDX document can be associated with a set of software packages, files or snippets and contains information about the software in the SPDX format described in this specification.
ISO/IEC 5962:2021 is classified under the following ICS (International Classification for Standards) categories: 35.080 - Software. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO/IEC 5962:2021 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 5962
First edition
2021-08
Information technology — SPDX®
Specification V2.2.1
Technologies de l'information — Spécification SPDX® V2.2.1
Reference number
©
ISO/IEC 2021
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved
Contents
Foreword . xiii
Introduction . xiii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Conformance . 3
4.1 SPDX Current and Previous Versions . 3
4.2 Obsolete features . 3
4.3 Alternate notation for some conformance requirements . 3
4.4 Standard data format requirements . 4
4.5 Trademark Compliance . 5
4.6 The SPDX Lite profile . 5
5 Composition of an SPDX document . 6
5.1 What this specification covers . 6
5.2 Sections . 7
5.2.1 SPDX document creation information section . 7
5.2.2 Package information section . 7
5.2.3 File information section . 8
5.2.4 Snippet information section . 8
5.2.5 Other licensing information detected section . 9
5.2.6 Relationships between SPDX elements information section . 9
5.2.7 Annotations information section . 9
5.2.8 Review information section . 9
5.3 What this specification does not cover . 10
6 SPDX document creation information section . 10
6.1 SPDX version field . 10
6.1.1 Description . 10
6.1.2 Intent . 10
6.1.3 Examples . 10
6.2 Data license field . 11
6.2.1 Description . 11
6.2.2 Intent . 11
6.2.3 Examples . 11
6.3 SPDX identifier field . 12
6.3.1 Description . 12
6.3.2 Intent . 12
6.3.3 Examples . 12
6.4 Document name field . 12
6.4.1 Description . 12
6.4.2 Intent . 13
6.4.3 Examples . 13
6.5 SPDX document namespace field . 13
6.5.1 Description . 13
6.5.2 Intent . 14
6.5.3 Examples . 15
6.6 External document references field . 15
6.6.1 Description . 15
6.6.2 Intent . 15
© ISO/IEC 2021 – All rights reserved iii
6.6.3 Examples .16
6.7 License list version field .16
6.7.1 Description .16
6.7.2 Intent .17
6.7.3 Examples .17
6.8 Creator field .17
6.8.1 Description .17
6.8.2 Intent .18
6.8.3 Examples .18
6.9 Created field .18
6.9.1 Description .18
6.9.2 Intent .19
6.9.3 Examples .19
6.10 Creator comment field.19
6.10.1 Description .19
6.10.2 Intent .20
6.10.3 Examples .20
6.11 Document comment field .20
6.11.1 Description .20
6.11.2 Intent .21
6.11.3 Examples .21
7 Package information section .21
7.1 Package name field .21
7.1.1 Description .21
7.1.2 Intent .21
7.1.3 Examples .21
7.2 Package SPDX identifier field .22
7.2.1 Description .22
7.2.2 Intent .22
7.2.3 Examples .22
7.3 Package version field .23
7.3.1 Description .23
7.3.2 Intent .23
7.3.3 Examples .23
7.4 Package file name field .23
7.4.1 Description .23
7.4.2 Intent .24
7.4.3 Examples .24
7.5 Package supplier field .24
7.5.1 Description .24
7.5.2 Intent .25
7.5.3 Examples .25
7.6 Package originator field .25
7.6.1 Description .25
7.6.2 Intent .26
7.6.3 Examples .26
7.7 Package download location field .27
7.7.1 Description .27
7.7.2 Intent .28
7.7.3 Examples .28
7.8 Files analyzed field .32
7.8.1 Description .32
7.8.2 Intent .32
7.8.3 Examples .33
iv © ISO/IEC 2021 – All rights reserved
7.9 Package verification code field . 33
7.9.1 Description . 33
7.9.2 Intent . 34
7.9.3 Examples . 34
7.10 Package checksum field . 35
7.10.1 Description . 35
7.10.2 Intent . 35
7.10.3 Examples . 35
7.11 Package home page field . 36
7.11.1 Description . 36
7.11.2 Intent . 37
7.11.3 Examples . 37
7.12 Source information field . 37
7.12.1 Description . 37
7.12.2 Intent . 38
7.12.3 Examples . 38
7.13 Concluded license field . 38
7.13.1 Description . 38
7.13.2 Intent . 39
7.13.3 Examples . 39
7.14 All licenses information from files field . 40
7.14.1 Description . 40
7.14.2 Intent . 40
7.14.3 Examples . 41
7.15 Declared license field . 41
7.15.1 Description . 41
7.15.2 Intent . 42
7.15.3 Examples . 42
7.16 Comments on license field . 43
7.16.1 Description . 43
7.16.2 Intent . 43
7.16.3 Examples . 43
7.17 Copyright text field. 44
7.17.1 Description . 44
7.17.2 Intent . 44
7.17.3 Examples . 44
7.18 Package summary description field . 45
7.18.1 Description . 45
7.18.2 Intent . 45
7.18.3 Examples . 45
7.19 Package detailed description field . 45
7.19.1 Description . 45
7.19.2 Intent . 46
7.19.3 Examples . 46
7.20 Package comment field . 46
7.20.1 Description . 46
7.20.2 Intent . 47
7.20.3 Examples . 47
7.21 External reference field . 47
7.21.1 Description . 47
7.21.2 Intent . 48
7.21.3 Examples . 48
7.22 External reference comment field . 49
7.22.1 Description . 49
© ISO/IEC 2021 – All rights reserved v
7.22.2 Intent .49
7.22.3 Examples .50
7.23 Package attribution text field .50
7.23.1 Description .50
7.23.2 Intent .51
7.23.3 Examples .51
8 File information section .51
8.1 File name field .51
8.1.1 Description .51
8.1.2 Intent .52
8.1.3 Examples .52
8.2 File SPDX identifier field .52
8.2.1 Description .52
8.2.2 Intent .52
8.2.3 Examples .52
8.3 File type field .53
8.3.1 Description .53
8.3.2 Intent .54
8.3.3 Examples .54
8.4 File checksum field .54
8.4.1 Description .54
8.4.2 Intent .55
8.4.3 Examples .55
8.5 Concluded license field .56
8.5.1 Description .56
8.5.2 Intent .56
8.5.3 Examples .56
8.6 License information in file field .57
8.6.1 Description .57
8.6.2 Intent .58
8.6.3 Examples .58
8.7 Comments on license field .58
8.7.1 Description .58
8.7.2 Intent .59
8.7.3 Examples .59
8.8 Copyright text field .59
8.8.1 Description .59
8.8.2 Intent .60
8.8.3 Examples .60
8.9 Artifact of project name field (deprecated) .60
8.9.1 Description .60
8.9.2 Intent .61
8.9.3 Examples .61
8.10 Artifact of project homepage field (deprecated) .61
8.10.1 Description .61
8.10.2 Intent .61
8.10.3 Examples .61
8.11 Artifact of project uniform resource identifier field (deprecated) .62
8.11.1 Description .62
8.11.2 Intent .62
8.11.3 Examples .62
8.12 File comment field .63
8.12.1 Description .63
8.12.2 Intent .63
vi © ISO/IEC 2021 – All rights reserved
8.12.3 Examples . 63
8.13 File notice field . 63
8.13.1 Description . 63
8.13.2 Intent . 64
8.13.3 Examples . 64
8.14 File contributor field . 64
8.14.1 Description . 64
8.14.2 Intent . 64
8.14.3 Examples . 65
8.15 File attribution text field . 65
8.15.1 Description . 65
8.15.2 Intent . 65
8.15.3 Examples . 66
8.16 File dependencies field (deprecated) . 66
8.16.1 Description . 66
8.16.2 Intent . 66
8.16.3 Examples . 67
9 Snippet information section . 67
9.1 Snippet SPDX identifier field . 67
9.1.1 Description . 67
9.1.2 Intent . 68
9.1.3 Examples . 68
9.2 Snippet from file SPDX identifier field . 68
9.2.1 Description . 68
9.2.2 Intent . 69
9.2.3 Examples . 69
9.3 Snippet byte range field . 70
9.3.1 Description . 70
9.3.2 Intent . 70
9.3.3 Examples . 70
9.4 Snippet line range field . 71
9.4.1 Description . 71
9.4.2 Intent . 71
9.4.3 Examples . 71
9.5 Snippet concluded license field . 72
9.5.1 Description . 72
9.5.2 Intent . 73
9.5.3 Examples . 73
9.6 License information in snippet field . 74
9.6.1 Description . 74
9.6.2 Intent . 75
9.6.3 Examples . 75
9.7 Snippet comments on license field . 75
9.7.1 Description . 75
9.7.2 Intent . 75
9.7.3 Examples . 75
9.8 Snippet copyright text field . 76
9.8.1 Description . 76
9.8.2 Intent . 76
9.8.3 Examples . 76
9.9 Snippet comment field . 77
9.9.1 Description . 77
9.9.2 Intent . 77
9.9.3 Examples . 77
© ISO/IEC 2021 – All rights reserved vii
9.10 Snippet name field .78
9.10.1 Description .78
9.10.2 Intent .78
9.10.3 Examples .78
9.11 Snippet attribution text field .78
9.11.1 Description .78
9.11.2 Intent .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...