{"id":2772,"library":"spdx-tools","title":"SPDX Tools Python Library","description":"The `spdx-tools` library is a Python implementation providing parsers, converters, validators, and handlers for SPDX (Software Package Data Exchange) documents. It supports SPDX specification versions 2.2 and 2.3, with experimental, write-only support for the upcoming SPDX v3.0 specification. Maintained by a community of SPDX adopters, it helps users with security, compliance, and understanding software supply chain dependencies. The current version is 0.8.5, with an active development pace that includes significant refactoring in recent major releases.","status":"active","version":"0.8.5","language":"en","source_language":"en","source_url":"https://github.com/spdx/tools-python","tags":["spdx","sbom","software bill of materials","parser","validator","supply chain security"],"install":[{"cmd":"pip install spdx-tools","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"For handling YAML format SPDX files.","package":"PyYAML"},{"reason":"For handling XML format SPDX files.","package":"xmltodict"},{"reason":"For handling RDF format SPDX files.","package":"rdflib"},{"reason":"Used for parsing tag-value format SPDX files.","package":"ply"},{"reason":"For creating the command-line interface (CLI) interface.","package":"click"},{"reason":"Used for type checking.","package":"beartype"},{"reason":"For validation of URIs.","package":"uritools"},{"reason":"For handling SPDX license expressions.","package":"license-expression"}],"imports":[{"note":"Main entry point for parsing various SPDX formats from a file path or file-like object.","symbol":"parse_file","correct":"from spdx_tools.spdx.parser.parse_anything import parse_file"},{"note":"Function to validate a Document object against SPDX specifications.","symbol":"validate_full_spdx_document","correct":"from spdx_tools.spdx.validation.document_validator import validate_full_spdx_document"},{"note":"Core model class representing an SPDX document.","symbol":"Document","correct":"from spdx_tools.spdx.model import Document"},{"note":"Function for experimental conversion of SPDX v2 documents to v3 payloads (write-only in v0.8).","symbol":"bump_spdx_document","correct":"from spdx_tools.spdx3.bump_from_spdx2.spdx_document import bump_spdx_document"}],"quickstart":{"code":"import io\nimport os\nimport tempfile\nfrom spdx_tools.spdx.parser.parse_anything import parse_file\nfrom spdx_tools.spdx.model import Document\n\n# Example SPDX Tag/Value content\nspdx_content = \"\"\"SPDXVersion: SPDX-2.3\nDataLicense: CC0-1.0\nSPDXID: SPDXRef-DOCUMENT\nDocumentName: example-software-bill-of-materials\nDocumentNamespace: http://spdx.org/spdxdocs/spdx-example-document-1.0\nCreator: Tool: spdx-tools-python-0.8.5\nCreated: 2026-04-10T12:00:00Z\n\"\"\"\n\ntemp_file_name = None\ntry:\n    # Write content to a temporary file for parsing\n    with tempfile.NamedTemporaryFile(mode='w+', delete=False, suffix=\".spdx\") as temp_file:\n        temp_file.write(spdx_content)\n        temp_file_name = temp_file.name\n    \n    # Parse the SPDX file\n    document: Document = parse_file(temp_file_name)\n    \n    print(f\"Successfully parsed SPDX document.\")\n    print(f\"  Document Name: {document.name}\")\n    print(f\"  SPDX Version: {document.spdx_version}\")\n    print(f\"  Data License: {document.data_license}\")\n    \nexcept Exception as e:\n    print(f\"An error occurred during parsing: {e}\")\nfinally:\n    # Clean up the temporary file\n    if temp_file_name and os.path.exists(temp_file_name):\n        os.remove(temp_file_name)\n","lang":"python","description":"This quickstart demonstrates how to parse a simple SPDX Tag/Value document from a string using a temporary file. The `parse_file` function is the primary entry point for parsing, capable of handling various SPDX formats."},"warnings":[{"fix":"Refer to the official migration guide if upgrading from versions prior to 0.8.0 to adapt existing code.","message":"Version 0.8.x introduced significant breaking changes in the API due to a major refactoring in preparation for SPDX v3.0.","severity":"breaking","affected_versions":">=0.8.0"},{"fix":"Limit use of SPDX v3.0 features to testing and evaluation. Note that v0.8 only supports writing, not reading SPDX 3.0 documents.","message":"Support for SPDX v3.0 is experimental, not yet complete or stable, and not recommended for production use.","severity":"gotcha","affected_versions":">=0.8.0"},{"fix":"Ensure your environment uses Python 3.10 or newer. The library's `requires_python` specifies `>=3.10`.","message":"Python 3.7, 3.8, and 3.9 are no longer supported.","severity":"breaking","affected_versions":">=0.8.4 (for 3.8, 3.9), >=0.8.1 (for 3.7)"},{"fix":"Be aware of potential limitations when parsing or generating complex license expressions. Monitor the project's GitHub issues for updates.","message":"Full support for SPDX license expressions remains a long-standing open issue and may not cover all complex scenarios.","severity":"gotcha","affected_versions":"All versions"},{"fix":"If working extensively with SPDX v2.3 RDF, verify that all necessary features are supported or consider alternative serialization formats like JSON or Tag/Value where possible.","message":"Full RDF support for SPDX v2.3 was deliberately postponed in favor of future-proofing, meaning certain v2.3 RDF features might not be fully implemented.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}