Annex G SPDX Lite (Normative)

G.1 Explanation of SPDX Lite

The SPDX Lite profile defines a subset of the SPDX specification, from the point of view of use cases in some industries. SPDX Lite aims at the balance between the SPDX standard and actual workflows in some industries.

The SPDX Lite profile consists of mandatory fields from the Document Creation and Package Information sections and other basic information.

The mandatory part of the Package information in SPDX Lite is basic but useful for complying with licenses. It is easy to understand licensing information by reading an SPDX Lite file. It is easy to create manually an SPDX Lite file by anyone who does not have enough knowledge about licensing information, so that tools are not necessarily required to create an SPDX Lite file.

SPDX Lite has affinity with SPDX tools due to its containing the mandatory part of the Document Creation and Package Information in the SPDX Lite definition.

An SPDX Lite document can be used in parallel with SPDX documents in software supply chains.

G.2 Format of SPDX Lite

The SPDX Lite profile is a subset of the SPDX specification. SPDX Lite consists of mandatory fields of the Document Creation and Package Information sections and other basic information. Cardinality of each item is not changed.

The mandatory part of the SPDX document creation information section (which consists of SPDX Version, Data License, SPDX Identifier, Document Name, SPDX Document Namespace, Creator and Created) is used for keeping compatibility with SPDX tools.

The main part of the Package Information (those are Package Name, Package Version, Package File Name, Package Supplier, Package Download Location, Package Home Page, Concluded License, Declared License, Comments on License and Copyright Text) is used for exchanging license information.

In the Package Information, Package SPDX Identifier and Files Analyzed are used for keeping compatibility with SPDX tools.

Files Analyzed shall be set to "false" when SPDX Lite is used.

Package Comment can be used to describe additional details, such as compiling options, where a license may change with a different compiling option.

External Reference field can be used to express correlated external resources information such as security CPE strings as described in Annex F of SPDX spec.

The Other License information section (License Identifier, Extracted Text, License Name and License Comment) is used for exchanging license information for licenses that are not on the SPDX License List.

G.3 Table of SPDX Lite fields

Table G.1 — SPDX Lite fields

# SPDX subclause Field name
L1.1 6.1 SPDX Version
L1.2 6.2 Data License
L1.3 6.3 SPDX Identifier
L1.4 6.4 Document Name
L1.5 6.5 SPDX Document Namespace
L1.6 6.8 Creator
L1.7 6.9 Created
L2.1 7.1 Package Name
L2.2 7.2 Package SPDX Identifier
L2.3 7.3 Package Version
L2.4 7.4 Package File Name
L2.5 7.5 Package Supplier
L2.6 7.7 Package Download Location
L2.7 7.8 Files Analyzed
L2.8 7.11 Package Home Page
L2.9 7.13 Concluded License
L2.10 7.15 Declared License
L2.11 7.16 Comments on License
L2.12 7.17 Copyright Text
L2.13 7.20 Package Comment
L2.14 7.21 External Reference field
L3.1 10.1 License Identifier
L3.2 10.2 Extracted Text
L3.3 10.3 License Name
L3.4 10.5 License Comment