Standard · 3.0.1

SPDX 3.0 System Bill of Materials

Maintained by SPDX Project · Linux Foundation

What it helps you do

Use SPDX when you need a system bill of materials spanning software, builds, AI models, datasets, identities, provenance, integrity, licenses, security findings, and relationships.

  • AI / ML
  • Cross-cutting
PlanAcquireHarmonizeExchangeLearn + reuse

01

Where it fits—and where it doesn’t

Use these four checks before committing implementation time.

Use it when
Reproducible and reviewable supply-chain records for an AI release that combines scientific data, preprocessing code, dependencies, models, and licenses.
Do not use it as
Do not treat SPDX as a complete solution on its own. It is a broad BOM model rather than a scientific metadata profile; generated inventories require verification, and license metadata does not authorize use of sensitive human data.
Best for
Teams working with AI / ML and Cross-cutting data across Exchange → Learn + reuse.
Maturity
ScalingUsable today, with adoption or tooling still scaling; pilot the exact stack you plan to run.

02

See it in the workflow

A standard creates value by changing a handoff, not by existing in a catalog.

  1. InputWhat starts

    AI / ML and Cross-cutting data, metadata, and the local decisions around them

  2. SPDXWhat changes

    SPDX applies a shared standard across Exchange → Learn + reuse

  3. OutputWhat becomes possible

    A more consistent, reviewable handoff for the next system or team

Readiness gateBefore scaling: It is a broad BOM model rather than a scientific metadata profile; generated inventories require verification, and license metadata does not authorize use of sensitive human data.

03

A concrete example

A release publishes an SPDX 3.0.1 document linking the dataset, model, source code, build inputs, dependencies, integrity evidence, licenses, and their relationships, then validates the JSON-LD representation.

Why it matters: Makes the data-model-software supply chain inspectable by tools and agents, while scientific validity, consent, bias, and model performance need separate evidence.

04

What it fits with

Complements RO-Crate research context, Croissant dataset loading metadata, and PROV-O or OpenLineage process history.

05

Implementation starter

Start with one bounded handoff. Pin, test, and review it before scaling.

  1. Name an accountable owner and the decision SPDX must support.

  2. Pin the exact version and companion artifacts: 3.0.1.

  3. Map one representative input to the required standard artifacts.

  4. Test the result against the canonical source and record every exception.

  5. Preserve the source data, mappings, and review evidence before scaling.

06

Limitation to test first—and the tests that catch it

Risk

It is a broad BOM model rather than a scientific metadata profile; generated inventories require verification, and license metadata does not authorize use of sensitive human data.

Test

Run one representative end-to-end pilot and record exactly where SPDX loses context, needs an extension, or depends on another standard.

Risk

A structured or machine-readable result can still be unfit for analysis or AI.

Test

Test the output for missing context, provenance, terminology alignment, time leakage, and the intended downstream decision. Makes the data-model-software supply chain inspectable by tools and agents, while scientific validity, consent, bias, and model performance need separate evidence.

07

Why we believe this

Checked against the canonical source plus implementation or adoption evidence reported by the steward or its community.

Evidence notation: E1 + E3. The code is shorthand; the plain-language statement above is the claim.

Formal status
Released specification 3.0.1; dataset and AI scope in v3
Confidence
Medium
Review state
Source-checked · watch
Reviewed by
AI and data supply-chain reviewer
Last verified
13 July 2026
Review again when
SPDX patch, profile, serialization, validation, or ISO-alignment update
How the evidence method works

08

Source shelf

Official diagrams, examples, specifications, and explainers. Nothing external loads until you choose to open it.

  • Primary source3.0.1

    SPDX Specification 3.0.1

    The canonical publisher or steward source used to verify this standard profile.

    Publisher
    SPDX Project · Linux Foundation
    Rights
    Rights remain with the publisher; this knowledge base links to the source rather than copying it.
    Access
    Opens the publisher's source in a new tab; no external media loads on this page.
    Verified
    2026-07-13
    Open at source

Next action

Put this profile in context

Compare its role with adjacent standards or place it inside an end-to-end data pathway before choosing an implementation.