SPDX Tools Python Library

0.8.5 · active · verified Fri Apr 10

The `spdx-tools` library is a Python implementation providing parsers, converters, validators, and handlers for SPDX (Software Package Data Exchange) documents. It supports SPDX specification versions 2.2 and 2.3, with experimental, write-only support for the upcoming SPDX v3.0 specification. Maintained by a community of SPDX adopters, it helps users with security, compliance, and understanding software supply chain dependencies. The current version is 0.8.5, with an active development pace that includes significant refactoring in recent major releases.

Warnings

breaking Version 0.8.x introduced significant breaking changes in the API due to a major refactoring in preparation for SPDX v3.0.
Fix: Refer to the official migration guide if upgrading from versions prior to 0.8.0 to adapt existing code.
gotcha Support for SPDX v3.0 is experimental, not yet complete or stable, and not recommended for production use.
Fix: Limit use of SPDX v3.0 features to testing and evaluation. Note that v0.8 only supports writing, not reading SPDX 3.0 documents.
breaking Python 3.7, 3.8, and 3.9 are no longer supported.
Fix: Ensure your environment uses Python 3.10 or newer. The library's `requires_python` specifies `>=3.10`.
gotcha Full support for SPDX license expressions remains a long-standing open issue and may not cover all complex scenarios.
Fix: Be aware of potential limitations when parsing or generating complex license expressions. Monitor the project's GitHub issues for updates.
gotcha Full RDF support for SPDX v2.3 was deliberately postponed in favor of future-proofing, meaning certain v2.3 RDF features might not be fully implemented.
Fix: If working extensively with SPDX v2.3 RDF, verify that all necessary features are supported or consider alternative serialization formats like JSON or Tag/Value where possible.

Install

pip install spdx-tools Install stable version

Imports

parse_file
```
from spdx_tools.spdx.parser.parse_anything import parse_file
```
Main entry point for parsing various SPDX formats from a file path or file-like object.
validate_full_spdx_document
```
from spdx_tools.spdx.validation.document_validator import validate_full_spdx_document
```
Function to validate a Document object against SPDX specifications.
Document
```
from spdx_tools.spdx.model import Document
```
Core model class representing an SPDX document.
bump_spdx_document
```
from spdx_tools.spdx3.bump_from_spdx2.spdx_document import bump_spdx_document
```
Function for experimental conversion of SPDX v2 documents to v3 payloads (write-only in v0.8).

Quickstart

This quickstart demonstrates how to parse a simple SPDX Tag/Value document from a string using a temporary file. The `parse_file` function is the primary entry point for parsing, capable of handling various SPDX formats.

import io
import os
import tempfile
from spdx_tools.spdx.parser.parse_anything import parse_file
from spdx_tools.spdx.model import Document

# Example SPDX Tag/Value content
spdx_content = """SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: example-software-bill-of-materials
DocumentNamespace: http://spdx.org/spdxdocs/spdx-example-document-1.0
Creator: Tool: spdx-tools-python-0.8.5
Created: 2026-04-10T12:00:00Z
"""

temp_file_name = None
try:
    # Write content to a temporary file for parsing
    with tempfile.NamedTemporaryFile(mode='w+', delete=False, suffix=".spdx") as temp_file:
        temp_file.write(spdx_content)
        temp_file_name = temp_file.name
    
    # Parse the SPDX file
    document: Document = parse_file(temp_file_name)
    
    print(f"Successfully parsed SPDX document.")
    print(f"  Document Name: {document.name}")
    print(f"  SPDX Version: {document.spdx_version}")
    print(f"  Data License: {document.data_license}")
    
except Exception as e:
    print(f"An error occurred during parsing: {e}")
finally:
    # Clean up the temporary file
    if temp_file_name and os.path.exists(temp_file_name):
        os.remove(temp_file_name)

view raw JSON →