Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
日本語
Entry № 1190

SPDX (Software Package Data Exchange)

SPDX (Software Package Data Exchange) とは何ですか?

SPDX (Software Package Data Exchange)A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.

SPDX (Software Package Data Exchange) is an open BOM standard maintained by the Linux Foundation and ratified as ISO/IEC 5962 in 2021. It originated in 2010 to express software license information unambiguously across the supply chain and has since expanded to a full SBOM format covering components, relationships, file-level hashes, build metadata, security references, and AI/ML models (SPDX 3.0). SPDX SBOMs are typically serialized in JSON, YAML, RDF, or the original tag-value form. Together with CycloneDX, SPDX is one of the two formats explicitly named in U.S. CISA SBOM guidance and is the lingua franca of license compliance tooling — `fossology`, `scancode`, and most enterprise SCA platforms read and write it. SPDX 3.0, released in 2024, modularized the spec into profiles (Core, Software, Licensing, Security, Build, AI, Dataset), making it more competitive with CycloneDX for purely security-focused workflows.

  1. 01

    A Linux distribution publishes per-package SPDX documents containing SHA-256 file hashes and resolved SPDX license identifiers.

  2. 02

    An OSS project's release pipeline emits both SPDX 3.0 and CycloneDX SBOMs so customers can ingest whichever their tooling supports.

よくある質問

SPDX (Software Package Data Exchange) とは何ですか?

A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs. サイバーセキュリティの アプリケーションセキュリティ カテゴリに属します。

SPDX (Software Package Data Exchange) とはどういう意味ですか?

A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.

SPDX (Software Package Data Exchange) はどのように機能しますか?

SPDX (Software Package Data Exchange) is an open BOM standard maintained by the Linux Foundation and ratified as ISO/IEC 5962 in 2021. It originated in 2010 to express software license information unambiguously across the supply chain and has since expanded to a full SBOM format covering components, relationships, file-level hashes, build metadata, security references, and AI/ML models (SPDX 3.0). SPDX SBOMs are typically serialized in JSON, YAML, RDF, or the original tag-value form. Together with CycloneDX, SPDX is one of the two formats explicitly named in U.S. CISA SBOM guidance and is the lingua franca of license compliance tooling — `fossology`, `scancode`, and most enterprise SCA platforms read and write it. SPDX 3.0, released in 2024, modularized the spec into profiles (Core, Software, Licensing, Security, Build, AI, Dataset), making it more competitive with CycloneDX for purely security-focused workflows.

SPDX (Software Package Data Exchange) からどのように防御しますか?

SPDX (Software Package Data Exchange) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

SPDX (Software Package Data Exchange) の別名は何ですか?

一般的な別名: Software Package Data Exchange, ISO/IEC 5962。

関連用語