SPDX（System Package Data Exchange）格式是一种用于描述软件组件（如源代码）的规范，它提供了一种标准化的方法来描述软件组件的元数据，包括其许可证、依赖项和其他属性。SPDX最初由Linux基金会于2010年发起，是一个跨行业的合作项目，旨在促进软件供应链的透明度和合规性。本文将介绍SPDX格式的背景、应用现状及主要内容。

1. 背景

SPDX（System Package Data Exchange）格式的诞生源于对软件许可证的标准化和管理的需求。在开源和共享软件开发环境中，许可证是一个重要的元素，它规定了软件的使用和修改限制。然而，不同的开源项目可能使用不同的许可证，这导致了许可证管理的问题。为了解决这个问题，SPDX 格式应运而生，它提供了一种标准化的方法来描述软件许可证以及其他元数据，如版本控制信息、依赖项等。

2. 应用现状

SPDX格式在开源和共享软件开发环境中得到了广泛的应用。许多开源项目使用SPDX格式来描述其软件组件的许可证和其他元数据。SPDX格式还被用于自动化工具中，如代码审查工具、许可证管理工具和版本控制工具，这些工具可以自动解析SPDX描述文档，从而提高了工作效率和准确性。

SPDX规范被公认为安全性、许可证合规性和其他软件供应链工件的国际开放标准，如ISO/IEC 5962:2021。

SPDX格式还被应用于教育领域。一些教育机构和开源组织将SPDX格式用于教育目的，为学生提供关于软件许可证管理和软件组件元数据的知识。通过使用SPDX格式，学生可以更好地理解开源软件的世界，并学会如何使用标准化的方法来描述和管理软件组件。

3. 版本发展历史

• 2023/05：发布了新的安全、构建、数据和人工智能配置文件的 SPDX 3.0-rc1。
• 2022/08：发布SPDX 2.3，以提高与其他格式的互操作性。
• 2015/05：SPDX 2.0 规范增加了处理多个包、包和文件之间的关系以及注释的能力。
• 2013/10：SPDX 1.2 规范–改进了与许可证列表的交互，增加了用于记录项目信息的字段。
• 2011/08：SPDX 1.0 规范处理封装。
• 2010/02：规范起草工作开始于Linux基金会下属的 FOSSBazaar 工作组，该工作组后来被称为“SPDX”，最初被称为Package Facts。

4. 主要内容

在SPDX格式中，每个元素都有其特定的标签和结构，以便于自动解析和解析。此外，SPDX格式还提供了一种标准化的方法来组织这些元素，使其易于理解和使用。

SPDX格式的主要内容包括许可证、版本控制、依赖项和其他元数据：

• 软件包信息：记录软件包的基本信息，如名称、版本号、描述等。
• 许可证信息：详细描述软件包使用的许可证类型及相关要求。这有助于组织遵守不同许可证的规定，确保合规性。
• 文件级别信息：列出软件包中每个文件的信息，包括文件名、路径、大小等。这有助于识别和跟踪软件组件，管理依赖关系。
• 依赖关系：记录软件包与其他软件包之间的依赖关系，包括版本要求、兼容性等。这有助于评估软件包的稳定性和安全性。
• 补丁信息：记录软件包中的补丁信息，包括修复的漏洞、安全更新等。这有助于了解软件包的安全状况。
• 元数据：包括创建SPDX文档的时间、作者信息等元数据，有助于跟踪和管理SPDX文档的来源和历史。
• 其他元数据：SPDX格式还包含其他元数据，如许可协议、版权声明、技术规范和文档链接等。

SPDX JSON 格式完整样例：

{
  "SPDXID" : "SPDXRef-DOCUMENT",
  "spdxVersion" : "SPDX-2.3",
  "creationInfo" : {
    "comment" : "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.",
    "created" : "2010-01-29T18:30:22Z",
    "creators" : [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ],
    "licenseListVersion" : "3.17"
  },
  "name" : "SPDX-Tools-v2.0",
  "dataLicense" : "CC0-1.0",
  "comment" : "This document was created using SPDX 2.0 using licenses from the web site.",
  "externalDocumentRefs" : [ {
    "externalDocumentId" : "DocumentRef-spdx-tool-1.2",
    "checksum" : {
      "algorithm" : "SHA1",
      "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2759"
    },
    "spdxDocument" : "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301"
  } ],
  "hasExtractedLicensingInfos" : [ {
    "licenseId" : "LicenseRef-1",
    "extractedText" : "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n *    notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n *    notice, this list of conditions and the following disclaimer in the\n *    documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n *    derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
  }, {
    "licenseId" : "LicenseRef-2",
    "extractedText" : "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n© Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
  }, {
    "licenseId" : "LicenseRef-4",
    "extractedText" : "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n *    notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n *    notice, this list of conditions and the following disclaimer in the\n *    documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n *    derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/"
  }, {
    "licenseId" : "LicenseRef-Beerware-4.2",
    "comment" : "The beerware license has a couple of other standard variants.",
    "extractedText" : "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp",
    "name" : "Beer-Ware License (Version 42)",
    "seeAlsos" : [ "http://people.freebsd.org/~phk/" ]
  }, {
    "licenseId" : "LicenseRef-3",
    "comment" : "This is tye CyperNeko License",
    "extractedText" : "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark.  All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n   notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n   notice, this list of conditions and the following disclaimer in\n   the documentation and/or other materials provided with the\n   distribution.\n\n3. The end-user documentation included with the redistribution,\n   if any, must include the following acknowledgment:  \n     \"This product includes software developed by Andy Clark.\"\n   Alternately, this acknowledgment may appear in the software itself,\n   if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n   or promote products derived from this software without prior \n   written permission. For written permission, please contact \n   andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n   nor may \"CyberNeko\" appear in their name, without prior written\n   permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.",
    "name" : "CyberNeko License",
    "seeAlsos" : [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ]
  } ],
  "annotations" : [ {
    "annotationDate" : "2010-01-29T18:30:22Z",
    "annotationType" : "OTHER",
    "annotator" : "Person: Jane Doe ()",
    "comment" : "Document level annotation"
  }, {
    "annotationDate" : "2010-02-10T00:00:00Z",
    "annotationType" : "REVIEW",
    "annotator" : "Person: Joe Reviewer",
    "comment" : "This is just an example.  Some of the non-standard licenses look like they are actually BSD 3 clause licenses"
  }, {
    "annotationDate" : "2011-03-13T00:00:00Z",
    "annotationType" : "REVIEW",
    "annotator" : "Person: Suzanne Reviewer",
    "comment" : "Another example reviewer."
  } ],
  "documentDescribes" : [ "SPDXRef-File", "SPDXRef-Package" ],
  "documentNamespace" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
  "packages" : [ {
    "SPDXID" : "SPDXRef-Package",
    "annotations" : [ {
      "annotationDate" : "2011-01-29T18:30:22Z",
      "annotationType" : "OTHER",
      "annotator" : "Person: Package Commenter",
      "comment" : "Package level annotation"
    } ],
    "attributionTexts" : [ "The GNU C Library is free software.  See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed.  License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ],
    "builtDate" : "2011-01-29T18:30:22Z",
    "checksums" : [ {
      "algorithm" : "MD5",
      "checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
    }, {
      "algorithm" : "SHA1",
      "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
    }, {
      "algorithm" : "SHA256",
      "checksumValue" : "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd"
    }, {
      "algorithm" : "BLAKE2b-384",
      "checksumValue" : "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706"
    } ],
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "description" : "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.",
    "downloadLocation" : "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
    "externalRefs" : [ {
      "referenceCategory" : "SECURITY",
      "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
      "referenceType" : "cpe23Type"
    }, {
      "comment" : "This is the external ref for Acme",
      "referenceCategory" : "OTHER",
      "referenceLocator" : "acmecorp/acmenator/4.1.3-alpha",
      "referenceType" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge"
    } ],
    "filesAnalyzed" : true,
    "homepage" : "http://ftp.gnu.org/gnu/glibc",
    "licenseComments" : "The license for this project changed with the release of version x.y.  The version of the project included here post-dates the license change.",
    "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-3)",
    "licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
    "licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
    "name" : "glibc",
    "originator" : "Organization: ExampleCodeInspect (contact@example.com)",
    "packageFileName" : "glibc-2.11.1.tar.gz",
    "packageVerificationCode" : {
      "packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
      "packageVerificationCodeValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
    },
    "primaryPackagePurpose" : "SOURCE",
    "hasFiles" : [ "SPDXRef-Specification", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ],
    "releaseDate" : "2012-01-29T18:30:22Z",
    "sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.",
    "summary" : "GNU C library.",
    "supplier" : "Person: Jane Doe (jane.doe@example.com)",
    "validUntilDate" : "2014-01-29T18:30:22Z",
    "versionInfo" : "2.11.1"
  }, {
    "SPDXID" : "SPDXRef-fromDoap-1",
    "copyrightText" : "NOASSERTION",
    "downloadLocation" : "NOASSERTION",
    "filesAnalyzed" : false,
    "homepage" : "http://commons.apache.org/proper/commons-lang/",
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "NOASSERTION",
    "name" : "Apache Commons Lang"
  }, {
    "SPDXID" : "SPDXRef-fromDoap-0",
    "downloadLocation" : "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz",
    "externalRefs" : [ {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:maven/org.apache.jena/apache-jena@3.12.0",
      "referenceType" : "purl"
    } ],
    "filesAnalyzed" : false,
    "homepage" : "http://www.openjena.org/",
    "name" : "Jena",
    "versionInfo" : "3.12.0"
  }, {
    "SPDXID" : "SPDXRef-Saxon",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c"
    } ],
    "copyrightText" : "Copyright Saxonica Ltd",
    "description" : "The Saxon package is a collection of tools for processing XML documents.",
    "downloadLocation" : "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
    "filesAnalyzed" : false,
    "homepage" : "http://saxon.sourceforge.net/",
    "licenseComments" : "Other versions available for a commercial license",
    "licenseConcluded" : "MPL-1.0",
    "licenseDeclared" : "MPL-1.0",
    "name" : "Saxon",
    "packageFileName" : "saxonB-8.8.zip",
    "versionInfo" : "8.8"
  } ],
  "files" : [ {
    "SPDXID" : "SPDXRef-DoapSource",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12"
    } ],
    "copyrightText" : "Copyright 2010, 2011 Source Auditor Inc.",
    "fileContributors" : [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ],
    "fileName" : "./src/org/spdx/parser/DOAPProject.java",
    "fileTypes" : [ "SOURCE" ],
    "licenseConcluded" : "Apache-2.0",
    "licenseInfoInFiles" : [ "Apache-2.0" ]
  }, {
    "SPDXID" : "SPDXRef-CommonsLangSrc",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "c2b4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "This file is used by Jena",
    "copyrightText" : "Copyright 2001-2011 The Apache Software Foundation",
    "fileContributors" : [ "Apache Software Foundation" ],
    "fileName" : "./lib-source/commons-lang3-3.1-sources.jar",
    "fileTypes" : [ "ARCHIVE" ],
    "licenseConcluded" : "Apache-2.0",
    "licenseInfoInFiles" : [ "Apache-2.0" ],
    "noticeText" : "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())"
  }, {
    "SPDXID" : "SPDXRef-JenaLib",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "3ab4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "This file belongs to Jena",
    "copyrightText" : "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP",
    "fileContributors" : [ "Apache Software Foundation", "Hewlett Packard Inc." ],
    "fileName" : "./lib-source/jena-2.6.3-sources.jar",
    "fileTypes" : [ "ARCHIVE" ],
    "licenseComments" : "This license is used by Jena",
    "licenseConcluded" : "LicenseRef-1",
    "licenseInfoInFiles" : [ "LicenseRef-1" ]
  }, {
    "SPDXID" : "SPDXRef-Specification",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "fff4e1c67a2d28fced849ee1bb76e7391b93f125"
    } ],
    "comment" : "Specification Documentation",
    "fileName" : "./docs/myspec.pdf",
    "fileTypes" : [ "DOCUMENTATION" ]
  }, {
    "SPDXID" : "SPDXRef-File",
    "annotations" : [ {
      "annotationDate" : "2011-01-29T18:30:22Z",
      "annotationType" : "OTHER",
      "annotator" : "Person: File Commenter",
      "comment" : "File level annotation"
    } ],
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758"
    }, {
      "algorithm" : "MD5",
      "checksumValue" : "624c1abb3664f4b35547e7c73864ad24"
    } ],
    "comment" : "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.",
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "fileContributors" : [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ],
    "fileName" : "./package/foo.c",
    "fileTypes" : [ "SOURCE" ],
    "licenseComments" : "The concluded license was taken from the package level that the file was included in.",
    "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-2)",
    "licenseInfoInFiles" : [ "GPL-2.0-only", "LicenseRef-2" ],
    "noticeText" : "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
  } ],
  "snippets" : [ {
    "SPDXID" : "SPDXRef-Snippet",
    "comment" : "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.",
    "copyrightText" : "Copyright 2008-2010 John Smith",
    "licenseComments" : "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.",
    "licenseConcluded" : "GPL-2.0-only",
    "licenseInfoInSnippets" : [ "GPL-2.0-only" ],
    "name" : "from linux kernel",
    "ranges" : [ {
      "endPointer" : {
        "offset" : 420,
        "reference" : "SPDXRef-DoapSource"
      },
      "startPointer" : {
        "offset" : 310,
        "reference" : "SPDXRef-DoapSource"
      }
    }, {
      "endPointer" : {
        "lineNumber" : 23,
        "reference" : "SPDXRef-DoapSource"
      },
      "startPointer" : {
        "lineNumber" : 5,
        "reference" : "SPDXRef-DoapSource"
      }
    } ],
    "snippetFromFile" : "SPDXRef-DoapSource"
  } ],
  "relationships" : [ {
    "spdxElementId" : "SPDXRef-DOCUMENT",
    "relationshipType" : "CONTAINS",
    "relatedSpdxElement" : "SPDXRef-Package"
  }, {
    "spdxElementId" : "SPDXRef-DOCUMENT",
    "relationshipType" : "COPY_OF",
    "relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement"
  }, {
    "spdxElementId" : "SPDXRef-Package",
    "relationshipType" : "DYNAMIC_LINK",
    "relatedSpdxElement" : "SPDXRef-Saxon"
  }, {
    "spdxElementId" : "SPDXRef-CommonsLangSrc",
    "relationshipType" : "GENERATED_FROM",
    "relatedSpdxElement" : "NOASSERTION"
  }, {
    "spdxElementId" : "SPDXRef-JenaLib",
    "relationshipType" : "CONTAINS",
    "relatedSpdxElement" : "SPDXRef-Package"
  }, {
    "spdxElementId" : "SPDXRef-Specification",
    "relationshipType" : "SPECIFICATION_FOR",
    "relatedSpdxElement" : "SPDXRef-fromDoap-0"
  }, {
    "spdxElementId" : "SPDXRef-File",
    "relationshipType" : "GENERATED_FROM",
    "relatedSpdxElement" : "SPDXRef-fromDoap-0"
  } ]
}

若想了解更多 SPDX 格式的规范细节，可参阅官方最新文档 The System Package Data Exchange® (SPDX®) Specification Version 3.0.pdf (访问密码: 6277)。

5. 辅助工具

SPDX 官方提供了一些辅助工具，包含在线工具、开源工具及商用工具，可以提供 SPDX 格式文档的校验、转换、对比、生成及解析等功能。

6. 总结

SPDX格式是一种用于描述软件组件的规范，提供了一种标准化的方法来描述软件组件的元数据，包括其许可证、依赖项和其他属性。随着开源和共享软件开发环境的普及，SPDX格式得到了广泛的应用。

通过SPDX格式，组织可以更好地了解和管理软件供应链，降低合规风险，提高软件质量，加强安全性。SPDX作为一个开放的标准格式，为软件行业的合作和创新提供了重要的基础。

7. 参考

[1] https://spdx.dev/
[2] SPDXJSONExample-v2.3.spdx.json
[3] https://spdx.dev/use/specifications/

---

推荐阅读：

• 「 网络安全常用术语解读 」漏洞利用交换VEX详解
• 「 网络安全常用术语解读 」软件成分分析SCA详解：从发展背景到技术原理再到业界常用检测工具推荐
• 「 网络安全常用术语解读 」什么是0day、1day、nday漏洞
• 「 网络安全常用术语解读 」软件物料清单SBOM详解
• 「 网络安全常用术语解读 」杀链Kill Chain详解
• 「 网络安全术语解读 」点击劫持Clickjacking详解
• 「 网络安全术语解读 」悬空标记注入详解
• 「 网络安全术语解读 」内容安全策略CSP详解
• 「 网络安全常用术语解读 」同源策略SOP详解
• 「 网络安全术语解读 」静态分析结果交换格式SARIF详解
• 「 网络安全常用术语解读 」安全自动化协议SCAP详解
• 「 网络安全术语解读 」通用平台枚举CPE详解
• 「 网络安全常用术语解读 」通用缺陷枚举CWE详解
• 「 网络安全常用术语解读 」通用漏洞披露CVE详解
• 「 网络安全常用术语解读 」通用漏洞评分系统CVSS详解
• 「 网络安全常用术语解读 」漏洞利用交换VEX详解
• 「 网络安全常用术语解读 」软件成分分析SCA详解：从发展背景到技术原理再到业界常用检测工具推荐
• 「 网络安全术语解读 」通用攻击模式枚举和分类CAPEC详解
• 「 网络安全常用术语解读 」网络攻击者的战术、技术和常识知识库ATT&CK详解