Description
# Python library to parse, validate and create SPDX documents CI status (Linux, macOS and Windows): [![Install and Test][1]][2] [1]: https://github.com/spdx/tools-python/actions/workflows/install_and_test.yml/badge.svg [2]: https://github.com/spdx/tools-python/actions/workflows/install_and_test.yml ## Breaking changes v0.7 -> v0.8 Please be aware that the upcoming 0.8 release has undergone a significant refactoring in preparation for the upcoming SPDX v3.0 release, leading to breaking changes in the API. Please refer to the [migration guide](https://github.com/spdx/tools-python/wiki/How-to-migrate-from-0.7-to-0.8) to update your existing code. The main features of v0.8 are: - full validation of SPDX documents against the v2.2 and v2.3 specification - support for SPDX's RDF format with all v2.3 features - experimental support for the upcoming SPDX v3 specification. Note, however, that support is neither complete nor stable at this point, as the spec is still evolving. SPDX3-related code is contained in a separate subpackage "spdx3" and its use is optional. We do not recommend using it in production code yet. Note that v0.8 only supports **writing**, not **reading** SPDX 3.0 documents. See [#760](https://github.com/spdx/tools-python/issues/760) for details. ## Information This library implements SPDX parsers, convertors, validators and handlers in Python. - Home: <https://github.com/spdx/tools-python> - Issues: <https://github.com/spdx/tools-python/issues> - PyPI: <https://pypi.python.org/pypi/spdx-tools> - Browse the API: <https://spdx.github.io/tools-python> Important updates regarding this library are shared via the SPDX tech mailing list: <https://lists.spdx.org/g/Spdx-tech>. ## License [Apache-2.0](LICENSE) ## Features - API to create and manipulate SPDX v2.2 and v2.3 documents - Parse, convert, create and validate SPDX files - Supported formats: Tag/Value, RDF, JSON, YAML, XML - Visualize the structure of a SPDX document by creating an `AGraph`. Note: This is an optional feature and requires additional installation of optional dependencies ## Experimental support for SPDX 3.0 - Create v3.0 elements and payloads - Convert v2.2/v2.3 documents to v3.0 - Serialize to JSON-LD See [Quickstart to SPDX 3.0](#quickstart-to-spdx-30) below. The implementation is based on the descriptive Markdown files in the repository <https://github.com/spdx/spdx-3-model> (commit: a5372a3c145dbdfc1381fc1f791c68889aafc7ff). The latest SPDX 3.0 model is available at <https://spdx.github.io/spdx-spec/v3.0/serializations/>. ## Installation As always you should work in a virtualenv (venv). You can install a local clone of this repo with `yourenv/bin/pip install .` or install it from PyPI (check for the [newest release](https://pypi.org/project/spdx-tools/#history) and install it like `yourenv/bin/pip install spdx-tools==0.8.3`). Note that on Windows it would be `Scripts` instead of `bin`. ## How to use ### Command-line usage 1. **PARSING/VALIDATING** (for parsing any format): - Use `pyspdxtools -i <filename>` where `<filename>` is the location of the file. The input format is inferred automatically from the file ending. - If you are using a source distribution, try running: `pyspdxtools -i tests/spdx/data/SPDXJSONExample-v2.3.spdx.json` 2. **CONVERTING** (for converting one format to another): - Use `pyspdxtools -i <input_file> -o <output_file>` where `<input_file>` is the location of the file to be converted and `<output_file>` is the location of the output file. The input and output formats are inferred automatically from the file endings. - If you are using a source distribution, try running: `pyspdxtools -i tests/spdx/data/SPDXJSONExample-v2.3.spdx.json -o output.tag` - If you want to skip the validation process, provide the `--novalidation` flag, like so: `pyspdxtools -i tests/spdx/data/SPDXJSONExample-v2.3.spdx.json -o output.tag --novalidation` (use this with caution: note that undetected invalid documents may lead to unexpected behavior of the tool) - For help use `pyspdxtools --help` 3. **GRAPH GENERATION** (optional feature) - This feature generates a graph representing all elements in the SPDX document and their connections based on the provided relationships. The graph can be rendered to a picture. Below is an example for the file `tests/spdx/data/SPDXJSONExample-v2.3.spdx.json`:  - Make sure you install the optional dependencies `networkx` and `pygraphviz`. To do so run `pip install ".[graph_generation]"`. - Use `pyspdxtools -i <input_file> --graph -o <output_file>` where `<output_file>` is an output file name with valid format for `pygraphviz` (check the documentation [here](https://pygraphviz.github.io/documentation/stable/reference/agraph.html#pygraphviz.AGraph.draw)). - If you are using a source distribution, try running
Release History
| Version | Changes | Urgency | Date |
|---|---|---|---|
| 0.8.5 | Imported from PyPI (0.8.5) | Low | 4/21/2026 |
| v0.8.5 | ## What's Changed * pyproject.toml: Update Python versions + project URLs by @bact in https://github.com/spdx/tools-python/pull/871 * add changelog for upcoming release 0.8.4 by @armintaenzertng in https://github.com/spdx/tools-python/pull/872 * Update MANIFEST.in; remove appveyor.yml by @bact in https://github.com/spdx/tools-python/pull/874 * type hint: Make Optional explicit (PEP 484) by @bact in https://github.com/spdx/tools-python/pull/873 * Update changelog for 0.8.5 and fix linting er | Low | 3/13/2026 |
| v0.8.4 | **Main change: added support for Python 3.14, dropped support for 3.7, 3.8 and 3.9** ## What's Changed * [issue-839] Drop Python 3.7 support and fix CI pipeline issues by @armintaenzertng in https://github.com/spdx/tools-python/pull/841 * [issue-854] Remove some control characters from JSON SPDX by @zbleness in https://github.com/spdx/tools-python/pull/855 * downloadLocation URIs not case sensitive by @clabbenius in https://github.com/spdx/tools-python/pull/826 * README.md: State that the | Low | 1/9/2026 |
| v0.8.3 | ## What's Changed * [issue-771] fix license expression error handling in tag-value parser by @armintaenzertng in https://github.com/spdx/tools-python/pull/772 * spdx3: software_purpose: add REQUIREMENT type by @stanislaw in https://github.com/spdx/tools-python/pull/787 * [issue-798] fix tag-value parser: parse Tool or Organization as annotator by @meretp in https://github.com/spdx/tools-python/pull/799 * [issue-773] shorten output of FileNotFoundError when called via the CLI by @armintaenzer | Low | 9/30/2024 |
| v0.8.2 | ## What's Changed * add `encoding` parameter for parsing files by @chrisdecker1201 in https://github.com/spdx/tools-python/pull/756 * [issue-754] output FilesAnalyzed boolean in lowercase in tag-value by @armintaenzertng in https://github.com/spdx/tools-python/pull/757 * [issue-753] only allow lowercase values for FilesAnalyzed in tag-value by @armintaenzertng in https://github.com/spdx/tools-python/pull/758 * fix(validation): also allow URLs in download locations by @maxhbr in https://gith | Low | 10/12/2023 |
| v0.8.1 | ## What's Changed * add SPDX tech mailing list link to README by @armintaenzertng in https://github.com/spdx/tools-python/pull/737 * make relationship parsing to be more efficient through precomputation by @lumjjb in https://github.com/spdx/tools-python/pull/743 * expand url regex to allow for userinfo by @bdehamer in https://github.com/spdx/tools-python/pull/746 * only instantiate `get_spdx_licensing()` once in the project by @armintaenzertng in https://github.com/spdx/tools-python/pull/749 | Low | 8/24/2023 |
| v0.8.0 | ## What's Changed * [fix] remove leftover legacy files. Add `NOASSERTION` as possible value⦠by @armintaenzertng in https://github.com/spdx/tools-python/pull/370 * [Issue 305] add new json parser by @meretp in https://github.com/spdx/tools-python/pull/366 * [issue-389] allow NONE and NOASSERTION in related_spdx_element_id by @armintaenzertng in https://github.com/spdx/tools-python/pull/390 * [format] delete unused imports by @meretp in https://github.com/spdx/tools-python/pull/393 * [issue- | Low | 7/25/2023 |
| v0.8.0rc3 | ## What's Changed * remove unused CircleCI workflow and directory by @armintaenzertng in https://github.com/spdx/tools-python/pull/729 * make "Package CONTAINS Package" valid even when `files_analyzed == False` by @armintaenzertng in https://github.com/spdx/tools-python/pull/733 * set `validate=True` as default value in the rdf writer by @armintaenzertng in https://github.com/spdx/tools-python/pull/734 **Full Changelog**: https://github.com/spdx/tools-python/compare/v0.8.0rc2...v0.8.0rc | Low | 7/20/2023 |
| v0.8.0rc2 | ## What's Changed * Generate API docs with pdoc by @fholger in https://github.com/spdx/tools-python/pull/710 * [issue-713] add link to API doc in the README by @armintaenzertng in https://github.com/spdx/tools-python/pull/725 * [issue-721] update Actor regex and parsing by @armintaenzertng in https://github.com/spdx/tools-python/pull/724 * [issue-722] add `calculate_package_verification_code()` by @armintaenzertng in https://github.com/spdx/tools-python/pull/723 * SPDX3: rename ProfileIdent | Low | 7/14/2023 |
| v0.8.0rc1 | ## What's Changed * [fix] remove leftover legacy files. Add `NOASSERTION` as possible value⦠by @armintaenzertng in https://github.com/spdx/tools-python/pull/370 * [Issue 305] add new json parser by @meretp in https://github.com/spdx/tools-python/pull/366 * [issue-389] allow NONE and NOASSERTION in related_spdx_element_id by @armintaenzertng in https://github.com/spdx/tools-python/pull/390 * [format] delete unused imports by @meretp in https://github.com/spdx/tools-python/pull/393 * [issue- | Low | 6/30/2023 |
| v0.8.0a3 | ## What's Changed * [fix] remove leftover legacy files. Add `NOASSERTION` as possible value⦠by @armintaenzertng in https://github.com/spdx/tools-python/pull/370 * [Issue 305] add new json parser by @meretp in https://github.com/spdx/tools-python/pull/366 * [issue-389] allow NONE and NOASSERTION in related_spdx_element_id by @armintaenzertng in https://github.com/spdx/tools-python/pull/390 * [format] delete unused imports by @meretp in https://github.com/spdx/tools-python/pull/393 * [issue- | Low | 6/30/2023 |
| v0.7.1 | ## New features and changes * added GitHub Actions workflow * added requirements.txt * added uritools for URI validation * Python >= 3.7 is now required * json/yaml/xml: added support for empty arrays for hasFiles and licenseInfoFromFiles * rdf: fixed writing of multiple packages * tag-value: enhanced parsing of snippet ranges to not mix it up with package version * tag-value: fixed parsing of whitespaces * tag-value: duplicates in LicenseInfoInFile are now removed during writing * a | Low | 3/14/2023 |
| v0.7.0 | ### New features and changes * Dropped Python 2 support. Python >= 3.6 is now required. * Added `pyspdxtools_convertor` and `pyspdxtools_parser` CLI scripts. See [the readme](README.md) for usage instructions. * Updated the tools to support SPDX versions up to 2.3 and to conform with the specification. Apart from many bugfixes and new properties, some of the more significant changes include: * Support for multiple packages per document * Support for multiple checksums for pack | Low | 12/8/2022 |
| v0.7.0-rc0 | First release candidate for the v0.7.0 release. Release notes are to be reviewed and revised, the following is auto-generated by Github and is included to give a rough idea: ## What's Changed * [WIP] Add --signoff to README.md `git commit` references by @altendky in https://github.com/spdx/tools-python/pull/121 * Fixes the install error in Python 2.7 and CircleCI error with Python 3.4.8 by @ShubhamKJha in https://github.com/spdx/tools-python/pull/141 * Validated the RDF file by @Yash-Vars | Low | 11/30/2022 |
| v0.6.1 | Release v0.6.1 | Low | 7/29/2021 |
| v0.6.0 | Release v0.6.0 | Low | 7/29/2021 |
| v0.5.4 | The main change with the previous releases is a bugfix for #27 Other changes are only internal (more tests) and cosmetics | Low | 7/31/2017 |
| v0.5.3 | In this release: - the lists in RDF and tag/value formats are now really sorted always sorted prior to writing (to ensure a consistent sorting) - the order of some tag/value has changed for extracted licenses (the text comes last) - several other minor bugs and cleanups were applied. It is also available on Pypi https://pypi.python.org/pypi/spdx-tools/ | Low | 6/15/2017 |
| v0.5.2 | In this release: - the write_document() method accepts a new `validate` flag to validate or not a doc before writing it - the lists in RDF and tag/value formats are always sorted prior to writing (to ensure a consistent sorting) - several other minor bugs and cleanups were applied. It is also available on Pypi https://pypi.python.org/pypi/spdx-tools/ | Low | 6/15/2017 |