Referencing external spdx documents with package information from project.spdx.yml


Hello J


I am currently working on an issue in the Oss-Review-Toolkit  [1] to support referring to external SPDX files from a `project.spdx.yml` [2].


I am currently checking out the spdx-specs [3] and the spdx schema [4] to create a working example of an ´project.spdx.yml` which has a package referencing an external SPDX document for  its metadata.

In the example file provided in [5]  I could not find a reference of that sort.

I have tried using `externalRefs` parameter of a package in the spdx document, but didn’t achieve actually referencing an external spdx document.

In the last paragraph of the spdx/tools repository [6] I have found a mention of “ExternalSpdxElement” that is not in the 2.0 model anymore. Has this been replaced in some way?


I wondered if there was an actual example in one of the documentations or repositories that shows:

A project.spdx.yml listing a package

and in that package metadata refer to

additional metadata in the form of a package.spdx.yml (or something similar)


Here is a slightly changed project.spdx.yml (originally from [7]) that shows how I would imagine the mechanisms working:


spdxVersion: "SPDX-2.2"


  created: "2020-07-23T18:30:22Z"


  - "Organization: Example Inc."

  - "Person: Thomas Steenbergen"

  licenseListVersion: "3.9"

name: "xyz-0.1.0"

dataLicense: "CC0-1.0"

documentNamespace: ""


- "SPDXRef-Package-xyz"


- SPDXID: "SPDXRef-Package-xyz"

  description: "Awesome product created by Example Inc."

  copyrightText: "Copyright (C) 2020 Example Inc."

  downloadLocation: "git+ssh://"

  filesAnalyzed: false

  homepage: ""

  licenseConcluded:  "NOASSERTION"

  licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"

  name: "xyz"

  versionInfo: "0.1.0"

- SPDXID: "SPDXRef-Package-curl"


    referenceCategory: "OTHER"

    referenceLocator: "curl:7.70.0" (or similar way of giving an identifier)

    referenceType: (alternatively a relative path to the same file locally could be given here)

OR:       - SPDXID: "SPDXRef-Package-curl"


    documentUri: (alternatively a relative path to the same file locally could be given here)

    id: SPDXDocumentRef-curl


- spdxElementId: "SPDXRef-Package-xyz"

  relatedSpdxElement: "SPDXRef-Package-curl"

  relationshipType: "DEPENDS_ON"











Mit freundlichen Grüßen / Best regards

Stephanie Neubauer

Project Delivery Stuttgart (IOC/PDL4)
Robert Bosch GmbH | Postfach 11 27 | 71301 Waiblingen | GERMANY |
Tel. +49 711 811-92528 | Mobil +49 172 3620267 | Telefax +49 711 811-58200 |
Threema / Threema Work: PHCV2F36 | Stephanie.Neubauer@...

Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart, HRB 14000;
Aufsichtsratsvorsitzender: Franz Fehrenbach; Geschäftsführung: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Michael Bolle, Dr. Christian Fischer,
Dr. Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Rolf Najork, Uwe Raschke

Join to automatically receive all group messages.