SBOM Schema Import - SPDX

Overview

This document describes the mandatory schema requirements for SPDX SBOM files that can be successfully processed and imported by the Mend system. The schema applies to both JSON and XML formats and is based on the SPDX specification versions 2.2 and 2.3, with specific requirements defined by Mend.io.

The system automatically detects the format (JSON or XML) and processes both using the same internal logic, ensuring consistent behavior regardless of the input format.

Mandatory Schema Requirements

The table below lists the fields that are mandatory for passing the SPDX validation.

Field	Type	Required	Description	Fallback Behavior
`SPDXID`	String	✅	Unique SPDX document identifier	N/A
`spdxVersion`	String	✅	SPDX specification version (2.2 or 2.3)	N/A
`name`	String	✅	Document name	N/A
`dataLicense`	String	✅	License for the SPDX document	N/A
`documentNamespace`	String	✅	Unique namespace URI	N/A
`creationInfo`	Object	✅	Document creation metadata	N/A
`creationInfo.created`	String (ISO 8601)	✅	Creation timestamp	N/A
`creationInfo.creators`	Array	✅	List of creators	N/A

Document Describes Section (Optional but Recommended)

Field	Type	Required	Description	Fallback Behavior
`documentDescribes`	Array	❌	Contains an identifier that groups all the direct dependencies to create a hierarchy	If unspecified, all packages are treated as direct dependencies

Dependency Hierarchy Logic:

If documentDescribes is missing or empty, all packages become direct dependencies
If documentDescribes is present, the system builds a dependency tree starting from the described element
Only packages associated with documentDescribes are considered direct dependencies

Packages Section (Required for Dependency Matching)

Note: For a list of languages and package managers supported by Mend SCA, please Refer to the support matrix.

Each package in the packages array must have the following structure:

Field	Type	Required	Description	Fallback Behavior
`packages[].SPDXID`	String	✅	Unique package identifier	N/A
`packages[].name`	String	❌	Package name	N/A
`packages[].packageFileName`	String	❌	Package filename, including the file extension	N/A
`packages[].versionInfo`	String	❌	Package version	N/A
`packages[].primaryPackagePurpose`	String	✅	Only “LIBRARY” is supported	N/A
`packages[].checksums`	Array	❌	Package checksums used for SHA1 extraction	N/A
`packages[].externalRefs`	Array	✅ (PURL)	External references that must contain the PURL Required PURL structure: `pkg:type/namespace/name@version` Refer to this website for more details on PURL specification.	When the PURL is absent, the matching algorithm will attempt to rely on: `packages[].packageFileName` (including file extension), `packages[].versionInfo`, and `packages[].checksums`.

Package Type Filtering:

Only packages with primaryPackagePurpose equal to "LIBRARY" are processed. Other package types (CONTAINER, OPERATING-SYSTEM, etc.) are ignored.
Only for the project element, primaryPackagePurpose equal to “APPLICATION” ("primaryPackagePurpose" : "APPLICATION") is processed. This occurs once per SBOM file.

Minimum Requirements:

packages[].primaryPackagePurpose (“LIBRARY”)
packages[].SPDXID
AND
packages[].externalRefs (PURL) (Recommended)
OR
packages[].packageFileName (including file extension), packages[].versionInfo, and packages[].checksums

Relationships Section (Recommended)

Note: With no relationships, the import process will result in a flat list of direct dependencies.

Field	Type	Required	Description	Fallback Behavior
`relationships`	Array	✅	Package relationships	If missing, all components are treated as direct dependencies
`relationships[].spdxElementId`	String	✅	Source element ID, must reference a valid element	N/A
`relationships[].relationshipType`	String	✅	Relationship type, must be a supported type	N/A
`relationships[].relatedSpdxElement`	String	✅	Target element ID, must reference a valid element	N/A

Supported Relationship Types:

Note: Only top-down relationships are supported.

DEPENDS_ON: Package depends on another package
DYNAMIC_LINK: Package dynamically links to another package
STATIC_LINK: Package statically links to another package
CONTAINS: Package contains another package
DESCRIBES: Used only once, to describe the project specified using "primaryPackagePurpose" : "APPLICATION"

SBOM Validation

Validate your SBOM using the following tool: https://tools.spdx.org/app/validate/
An invalid SBOM will not be processed.

Example Valid SBOM

JSON Format Example

JSON

{
  "SPDXID" : "SPDXRef-DOCUMENT",
  "spdxVersion" : "SPDX-2.3",
  "creationInfo" : {
    "created" : "2025-10-27T13:32:16Z",
    "creators" : [ "Organization: [org]", "Tool: Mend Spdx Report Generator", "Person: mend.tester@mend.io (mend.tester@mend.io)" ]
  },
  "name" : "Dependencies SBOM Report",
  "dataLicense" : "CC0-1.0",
  "documentDescribes" : [ "SPDXRef-Project" ],
  "documentNamespace" : "https://mend.io/spdx/doc/1.5-0e632ed1-c1ba-45f8-94ea-48119e149a4d",
  "packages" : [ {
    "SPDXID" : "SPDXRef-Project",
    "downloadLocation" : "NOASSERTION",
    "filesAnalyzed" : false,
    "licenseInfoFromFiles" : [ ],
    "name" : "1.5",
    "primaryPackagePurpose" : "APPLICATION"
  }, {
    "SPDXID" : "SPDXRef-Package-commons-beanutils-1.8.0.jar",
    "attributionTexts" : [ "PkgType: MAVEN_ARTIFACT", "PkgUuid: 56a58812-b304-44f7-a589-1911ee10757c" ],
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "0c651d5103c649c12b20d53731643e5fffceb536"
    } ],
    "copyrightText" : "The Apache Software Foundation",
    "description" : "BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.",
    "downloadLocation" : "http://www.apache.org/",
    "externalRefs" : [ {
      "referenceCategory" : "SECURITY",
      "referenceLocator" : "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-930699-724606",
      "referenceType" : "advisory"
    }, {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:maven/commons-beanutils/commons-beanutils@1.8.0",
      "referenceType" : "purl"
    } ],
    "filesAnalyzed" : false,
    "homepage" : "http://www.apache.org/",
    "licenseConcluded" : "Apache-2.0",
    "licenseDeclared" : "Apache-2.0",
    "name" : "commons-beanutils-1.8.0.jar",
    "originator" : "Organization: The Apache Software Foundation",
    "packageFileName" : "commons-beanutils-1.8.0.jar",
    "primaryPackagePurpose" : "LIBRARY",
    "supplier" : "Organization: The Apache Software Foundation",
    "versionInfo" : "1.8.0"
  } ],
  "relationships" : [ {
    "spdxElementId" : "SPDXRef-DOCUMENT",
    "relationshipType" : "DESCRIBES",
    "relatedSpdxElement" : "SPDXRef-Project"
  }, {
    "spdxElementId" : "SPDXRef-Project",
    "relationshipType" : "DEPENDS_ON",
    "relatedSpdxElement" : "SPDXRef-Package-commons-beanutils-1.8.0.jar"
  } ]
}

XML Format Example

XML

<?xml version='1.0' encoding='UTF-8'?>
<Document>
  <SPDXID>SPDXRef-DOCUMENT</SPDXID>
  <spdxVersion>SPDX-2.3</spdxVersion>
  <creationInfo>
    <created>2025-10-27T13:39:07Z</created>
    <creators>Organization: [org]</creators>
    <creators>Tool: Mend Spdx Report Generator</creators>
    <creators>Person: mend.tester@mend.io (mend.tester@mend.io)</creators>
  </creationInfo>
  <name>Dependencies SBOM Report</name>
  <dataLicense>CC0-1.0</dataLicense>
  <documentDescribes>SPDXRef-Project</documentDescribes>
  <documentNamespace>https://mend.io/spdx/doc/1.5-ba469eb3-cb2d-4c0d-9600-8e16ed2ba2eb</documentNamespace>
  <packages>
    <SPDXID>SPDXRef-Project</SPDXID>
    <downloadLocation>NOASSERTION</downloadLocation>
    <filesAnalyzed>false</filesAnalyzed>
    <name>1.5</name>
    <primaryPackagePurpose>APPLICATION</primaryPackagePurpose>
  </packages>
  <packages>
    <SPDXID>SPDXRef-Package-commons-beanutils-1.8.0.jar</SPDXID>
    <attributionTexts>PkgType: MAVEN_ARTIFACT</attributionTexts>
    <attributionTexts>PkgUuid: 56a58812-b304-44f7-a589-1911ee10757c</attributionTexts>
    <checksums>
      <algorithm>SHA1</algorithm>
      <checksumValue>0c651d5103c649c12b20d53731643e5fffceb536</checksumValue>
    </checksums>
    <copyrightText>The Apache Software Foundation</copyrightText>
    <description>BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.</description>
    <downloadLocation>http://www.apache.org/</downloadLocation>
    <externalRefs>
      <referenceCategory>SECURITY</referenceCategory>
      <referenceLocator>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-930699-724606</referenceLocator>
      <referenceType>advisory</referenceType>
    </externalRefs>
    <externalRefs>
      <referenceCategory>PACKAGE-MANAGER</referenceCategory>
      <referenceLocator>pkg:maven/commons-beanutils/commons-beanutils@1.8.0</referenceLocator>
      <referenceType>purl</referenceType>
    </externalRefs>
    <filesAnalyzed>false</filesAnalyzed>
    <homepage>http://www.apache.org/</homepage>
    <licenseConcluded>Apache-2.0</licenseConcluded>
    <licenseDeclared>Apache-2.0</licenseDeclared>
    <name>commons-beanutils-1.8.0.jar</name>
    <originator>Organization: The Apache Software Foundation</originator>
    <packageFileName>commons-beanutils-1.8.0.jar</packageFileName>
    <primaryPackagePurpose>LIBRARY</primaryPackagePurpose>
    <supplier>Organization: The Apache Software Foundation</supplier>
    <versionInfo>1.8.0</versionInfo>
  </packages>
  <relationships>
    <spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
    <relationshipType>DESCRIBES</relationshipType>
    <relatedSpdxElement>SPDXRef-Project</relatedSpdxElement>
  </relationships>
  <relationships>
    <spdxElementId>SPDXRef-Project</spdxElementId>
    <relationshipType>DEPENDS_ON</relationshipType>
    <relatedSpdxElement>SPDXRef-Package-commons-beanutils-1.8.0.jar</relatedSpdxElement>
  </relationships>
</Document>