SPDX Tools
Branch: master
Clone or download
goneall Merge pull request #180 from spdx/notifysecurity
Update README with security reporting information
Latest commit 80ad24e Jan 11, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
Examples Read standard licenses in JSON-LD format and remove dependencies on R… Apr 14, 2018
Test Add support for deprecated license exceptions. Also cleans up a lot o… Nov 28, 2018
TestFiles Add test for ODbl license compare Aug 14, 2018
doc Fix #128. Switching to Log4J 2. Switching code to use SLF4J, to elimi… Dec 21, 2017
resources Read standard licenses in JSON-LD format and remove dependencies on R… Apr 14, 2018
src/org/spdx Remove the license template code - moved to the LicenseListPublisher Dec 19, 2018
.gitattributes Ensure font files are tracked as binaries Apr 18, 2016
.gitignore Resolve issue #174, issue #175, update Jena version to 3.9.0 Nov 19, 2018
.mailmap Add a .mailmap file to uniquely identify authors Oct 22, 2015
.travis.yml Adding vulnerability scanner from BD CoPilot Mar 22, 2017
CONTRIBUTING.md Update contributing to include assigment while fixing issues Oct 26, 2017
LICENSE Changing line endings to LF (from CRLF) Sep 29, 2015
LICENSE.spdx Add support for deprecated license exceptions. Also cleans up a lot o… Nov 28, 2018
NOTICE Update NOTICE for new version of Jena and utilize the latest SPDX mav… Nov 20, 2018
README.md Fix issues link Jan 5, 2019
TODO PR #58: Line endings fixes Oct 19, 2015
changelog Fix parsing error when parsing nbsp characters Oct 19, 2016
pom.xml Bump version Nov 29, 2018


Build Status


The Software Package Data Exchange (SPDX) specification is a standard format for communicating the components, licenses and copyrights associated with a software package.

These tools are published by the SPDX Workgroup see http://spdx.org/


See the file CONTRIBUTING.md for information on making contributions to the SPDX tools.


Report any security related issues by sending an email to spdx-tools-security@lists.spdx.org

Non-security related issues should be added to the SPDX tools issues list


The command line interface of the spdx tools can be used like this:

java -jar spdx-tools-jar-with-dependencies.jar <function> <parameters> 

SPDX format converters

The following converter tools are provided by the spdx tools:

  • TagToSpreadsheet
  • TagToRDF
  • RdfToTag
  • RdfToHtml
  • RdfToSpreadsheet
  • SpreadsheetToRDF
  • SpreadsheetToTag

Example to convert a SPDX file from tag to rdf format:

java -jar spdx-tools-jar-with-dependencies.jar TagToRDF Examples/SPDXTagExample.tag TagToRDF.rdf

Compare utilities

  • CompareSpdxDocs

    Example to compare two SPDX files provided in rdf format:

    java -jar spdx-tools-jar-with-dependencies.jar CompareSpdxDocs doc1 doc2 [output]
  • CompareMultipleSpdxDocs

    Example to compare multiple SPDX files provided in rdf format and provide a spreadsheet with the results:

    java -jar spdx-tools-jar-with-dependencies.jar CompareMultipleSpdxDocs output.xls doc1 doc2 ... docN

SPDX Viewer

  • SPDXViewer

Sample usage:

java -jar spdx-tools-jar-with-dependencies.jar SPDXViewer TestFiles/SPDXRdfExample.rdf


  • Verify

Sample usage:

java -jar spdx-tools-jar-with-dependencies.jar Verify TestFiles/SPDXRdfExample.rdf


  • LicenseRDFAGenerator

    java -jar spdx-tools-jar-with-dependencies.jar LicenseRDFAGenerator licenseSpreadsheet.xls outputDirectory [version] [releasedate]
  • GenerateVerificationCode sourceDirectory

    java -jar spdx-tools-jar-with-dependencies.jar GenerateVerificationCode sourceDirectory [ignoredFilesRegex]


See the NOTICE file for licensing information including info from 3rd Party Software

See LICENSE file for full license text

SPDX-License-Identifier:	Apache-2.0
PackageLicenseDeclared:		Apache-2.0



You need Apache Maven to build the project:

mvn clean install

Update tools data formats

To update SPDX tools, the following is a very brief checklist:

  1. Update the SpdxRdfContants with any new or changed RDF properties and classes
  2. Update the Java code representing the RDF model.
  3. Update the properties files in the org.spdx.tag package for any new tag values
  4. Update the org.spdx.tag.CommonCode.java for any new or changed tag values. This will implement both the rdfToTag and the SPDXViewer applications.
  5. Update the org.spdx.tag.BuildDocument to implement changes for the TagToRdf application
  6. Update the HTML template (resources/htmlTemplate/SpdxHTMLTemplate.html) and contexts in org.spdx.html to implement changes for the SpdxToHtml application
  7. Update the related sheets and RdfToSpreadsheet.java file in the package org.spdx.spreadsheet
  8. Update the sheets and SpdxComparer/SpdxFileComparer in the org.spdx.compare package

Upgrading to SPDX 2.0

To the users of the tools as a binary, there should not be any need to upgrade. The tools should be backwards compatible with SPDX 1.0, 1.1, and 1.2.

If, however, you are using this Java code as a library for your own tools read on...

There are a number of changes to the design of the SPDX Parser both due to the extensive changes to the SPEC (e.g. support for multiple SPDX Packages within a document and support for relationships with external SPDX documents) and due to some much needed refactoring.

The starting point remains SPDXDocumentFactory. To ease the migration, the old 1.2 code and model is still available and simply changing your code to call SPDXDcoumentFactory.createLegacySpdxDocument(...) will probably work. You'll notice, however, almost everything your application is using is deprecated. These will be removed once SPDX 2.0 has been released and people have a chance to migrate (likely around Jan 1 2016).

To move over to the new model, simply start with SPDXDocumentFactory and call the createSpdxDocument(...) method to create the new SpdxDocument model code.
The object returned will be similar to the 1.2 version for SPDXDocument, but with a few key differences. All new model objects are in the package org.spdx.rdfparser.mode. The SPDX prefix is either removed or replaced with a more consistent Spdx.

Accessing the model objects is similar to 1.2, simply call the get/set methods. The method names have all been changed to be consistent with the specification property names. As a convenience, many of the old getter method names are still there but deprecated.

The structure has changed with the SpdxPackage being a distinct class from SpdxDocument. There is also a new class org.spdx.rdfparser.SpdxDocumentContainer which separates out the container functionality from the SpdxDocument leaving the SpdxDocument to represent the SpdxDocument properties. There are several new classes which are consistent with the SPDX 2.0 Model. See the JavaDocs and the SPDX 2.0 specification for a description of those classes and properties.

There is one significant class not found in the SPDX 2.0 model - ExternalSpdxElement. This class represents elements not found within the SPDX Document. The only valid property for this element is the ID (all other properties including the type are only known in the external document containing the element). There is a more structured class hierarchy, mostly mirroring the SPDX 2.0 model. As a user of the library, you likely do not need to understand these internals - but if you are interested, start at RdfModelObject and read the JavaDocs.

If you have any problems, and especially if you have any solutions, email the tech working group for SPDX at spdx-tech@lists.spdx.org.