SPDX: Software Package Data Exchange

The Software Package Data Exchange (SPDX) is the primary open standard for Software Bill of Materials formats developed by the Linux Foundation in 2010. Software components, copyrights, licenses, and security references are all included in SPDX files.

The SPDX specification is compatible with the NTIA’s proposed SBOM minimum standard and use cases. Organizations can use SPDX Lite to exchange data since it is a condensed version of the SPDX standard. The SPDX got an official standard as ISO/IEC 5962 in August 2021.

SWID: Software Identification Tagging

The International Organization for Standards (ISO) began establishing a standard for marking software components with machine-readable IDs before the end of the decade. SWID tags, as they’re now known, are structured embedded metadata in software that transmits information such as the name of the software product, version, developers, relationships, and more.

SWID Tags can aid in automating patch management, software integrity validation, vulnerability detection, and permitting or prohibiting software installs, similar to software asset management. In 2012, ISO/IEC 19770-2 was confirmed, and it was modified in 2015.


In 2017, the OWASP Foundation released CycloneDX as part of Dependency-Track, an open-source software component analysis tool. CycloneDX is a lightweight standard for multi-industry use, with use cases like vulnerability detection, licensing compliance, and assessing old components. CycloneDX 1.4 was launched in January 2022.