Software Package Data Exchange
SPDX is a Linux Foundation standard, also published as an ISO standard, for describing the components, licenses, and provenance of software. It is one of the two dominant SBOM formats, alongside CycloneDX, and is generated by build tooling during the release process. Organizations exchange SPDX documents so consumers can audit what is inside the software they run.