#spdx #serde #sbom


Serde serialization for SPDX files

15 releases (8 breaking)

new 0.9.1 Jul 9, 2024
0.8.4 Jul 13, 2023
0.7.2 Jul 10, 2023

#514 in Encoding

Download history 605/week @ 2024-03-13 523/week @ 2024-03-20 471/week @ 2024-03-27 759/week @ 2024-04-03 1051/week @ 2024-04-10 680/week @ 2024-04-17 594/week @ 2024-04-24 633/week @ 2024-05-01 518/week @ 2024-05-08 438/week @ 2024-05-15 860/week @ 2024-05-22 604/week @ 2024-05-29 743/week @ 2024-06-05 478/week @ 2024-06-12 377/week @ 2024-06-19 593/week @ 2024-06-26

2,369 downloads per month
Used in cargo-sbom

MIT license

80 lines

Workflow Status


This crate provides a type safe serde compatible SPDX format. It is intended for use in Rust code which may need to read or write SPDX files.

The latest documentation can be found here.

serde is a popular serialization framework for Rust. More information can be found on the official repository: https://github.com/serde-rs/serde

SDPX is an industry standard format for maintaining a Software Bill of Materials (SBOM). More information can be found on the official website: https://spdx.dev/.


For most cases, simply use the root spdx::v_2_3::Spdx struct with [serde] to read and write to and from the struct.


use serde_spdx::spdx::v_2_3::Spdx;

let data = fs::read_to_string("sbom.spdx.json");
let spdx: Spdx = serde_json::from_str(&data).unwrap();

Because many of the spdx::v_2_3::Spdx structures contain a lot of optional fields, it is often convenient to use the builder pattern to contstruct these structs. Each structure has a builder with a default.


use serde_spdx::spdx::v_2_3::SpdxCreationInfoBuilder;

let creation_info = SpdxCreationInfoBuilder::default()

Internal Implementation Details

The root struct is automatically generated from the parsed SPDX JSON schema, this is done at build time (via the buildscript).

License: MIT


~46K SLoC