Specifications

• SPDX 2.2 (verified against SPDX 2.2.1)

• SPDX 2.3

File Formats

• Tag:Value

• JSON

Required Elements

Document creation information

• SPDXVersion: mandatory in SPDX

• DataLicense: mandatory in SPDX

• SPDXID: mandatory in SPDX

• DocumentName: mandatory in SPDX

• DocumentNamespace: mandatory in SPDX

• Creator: mandatory in SPDX (See SBOM Build Information below)

• Created: mandatory in SPDX

• CreatorComment: to be able to put SBOM Build information (See below)

SBOM Build Information

• The Creator field must contain an Organization value

• The Creator field must contain a Tool name and its version

• The CreatorComment field must contain SBOMType information as defined by CISA

Package information

• PackageName: mandatory in SPDX

• SPDXID: mandatory in SPDX

• PackageVersion: needed by “NTIA SBOM Minimum elements”

• PackageSupplier: needed by “NTIA SBOM Minimum elements”

• PackageDownloadLocation: mandatory in SPDX

• FilesAnalyzed

• PackageChecksum: recommended by “NTIA SBOM Minimum elements”

• PackageLicenseConcluded: mandatory in SPDX

• PackageLicenseDeclared: mandatory in SPDX

• PackageCopyrightText: mandatory in SPDX

• ExternalRef: to be able to put the Package URL

Scope information

• Must include all open-source components including transitive components

• Should include all commercial components

• Must include all "known unknown" components

Relationships Information

• Relationships: at DESCRIBES and CONTAINS, needed by “NTIA SBOM Minimum elements”

‍Timining of SBOM Delivery

• The SBOM SHALL be delivered no later than at the time of the delivery of the software (in either binary or source form).

Method of SBOM delivery

• Embed in the software package (if feasible) OR

• Web-hosted version available to copy and store for at least 18-months (if not feasible)

SBOM Verification

• Recommended to include a digital signature of the SBOM in order to ensure integrity of the SBOM

SBOM Merger

• A conformant SBOM can be built using sever SBOM files using SPDX relationships