SPDX Lite (Normative)
Explanation of the Lite profile
The Lite profile is designed to make it quick and easy to start a Software Bill of Materials in situations where a company may have limited capacity for introducing new items into their processes. The Lite profile captures the minimum set of information required for license compliance in the software supply chain. It contains information about the creation of the SBOM, package lists with licensing and other related information, and their relationships.
All elements in Lite profile are essential for complying with licenses. It is easy to use a SPDX document with the Lite profile for anyone who does not have enough knowledge about licensing information and easy to import license information from former versions of SPDX Lite format files. The Lite profile offers the flexibility to be used either alone or in combination with other SPDX profiles as a SPDX document in the software supply chain.
Mandatory and recommended properties
The Lite profile specifies that some properties MUST be present and some others SHOULD be present, as much as possible.
The following lists collect and present this information for every class present in the SPDX data, in a concise and easy-to-follow format. The lists of properties are in alphabetical order, for easy reference.
/Core/SpdxDocument
- Mandatory
- creationInfo
- element (may be multiple), MUST have at least one /Core/Sbom object
- rootElement (may be multiple), SHOULD be objects of type /Core/Sbom
- spdxId
- Recommended
- comment
- dataLicense
- name
- namespaceMap (may be multiple)
- verifiedUsing (may be multiple), SHOULD be objects of type /Core/Hash
/Software/Sbom
- Mandatory
- creationInfo
- element (may be multiple), MUST have at least one /Software/Package object
- rootElement (may be multiple), SHOULD be objects of type /Software/Package
- spdxId
- Recommended
- sbomType (may be multiple)
/Software/Package
- Mandatory
- copyrightText
- creationInfo
- name
- packageVersion
- spdxId
- suppliedBy, SHOULD be an object of type /Core/Agent
- Recommended
- attributionText (may be multiple)
- builtTime
- comment
- downloadLocation
- homepage
- originatedBy (may be multiple), SHOULD be objects of type /Core/Agent
- packageUrl
- releaseTime
- supportLevel (may be multiple)
- validUntilTime
- verifiedUsing (may be multiple), SHOULD be objects of type /Core/Hash
However, there MUST be at least a “downloadLocation” or “packageUrl” property.
Additionally:
- for every /Software/Package object MUST exist exactly one /Core/Relationship object of type
hasConcludedLicense
having that element as itsfrom
property and an /SimpleLicensing/AnyLicenseInfo as itsto
property. - for every /Software/Package object MUST exist exactly one /Core/Relationship object of type
hasDeclaredLicense
having that element as itsfrom
property and /SimpleLicensing/AnyLicenseInfo object as itsto
property.
/Core/Hash
- Mandatory
- algorithm
- hashValue
- Recommended
- comment
/SimpleLicensing/LicenseExpression
- Mandatory
- creationInfo
- licenseExpression
- spdxId
- Recommended
- licenseListVersion
/SimpleLicensing/SimpleLicensingText
- Mandatory
- creationInfo
- licenseText
- spdxId
- Recommended
- comment
/Core/Agent (createdBy, suppliedBy, originatedBy)
- Mandatory
- creationInfo, SHOULD be “BlankNode”
- name
- spdxId
- Recommended
- externalIdentifier (may be multiple)
/Core/CreationInfo
- Mandatory
- created
- createdBy (may be multiple), SHOULD be objects of type /Core/Agent
- specVersion, MUST be a fixed string, “3.0.*” - where * is any supported patch version of the SPDX specification
- Recommended
- comment
/Core/ExternalIdentifier
- Mandatory
- externalIdentifierType
- identifier
/Core/NameSpaceMap
- Mandatory
- namespace
- prefix
/Core/Relationship
- Mandatory
- creationInfo
- from
- relationshipType
- spdxId
- to (may be multiple)