OpenChainGraph Suite · ART-138 · wave 25

SPDX SBOM Validator (EU CRA Annex I)

Validate an SPDX SBOM: spdxVersion (2.x or 3.x), SPDXID document identifier, every package has name+versionInfo+downloadLocation (or purl externalRef), and relationships present. SPDX-format counterpart to ART-135. Feeds the CRA Annex I conformance checker (art-139).

SPDX 2.x / 3.xEU CRA Annex ISBOMFull applicability Dec 2027W3C VC §13.11Zero PIIClient-side only
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
Scope
Root stage of the cra-product-conformance chain (art-138→139→140). SPDX-format SBOM validator: checks spdxVersion pattern (SPDX-2.x or SPDX-3.x), document identifier, each package must carry name+versionInfo+downloadLocation or a purl externalRef, and relationships must be present. Use art-135 for CycloneDX format. Both validate the EU CRA Annex I Part II(1) machine-readable SBOM requirement.
Presets
SPDX SBOM (JSON)
Result
Execution Hash & §4 Artifact
SHA-256 execution hash (JCS canonical — RFC 8785):

      

        
        
        
        
        
      

    

    

      
Chain Handoff → art-139
Pass the execution_hash above as parent_hashes[0] when calling check_cra_annex1_completeness (art-139) to continue the cra-product-conformance chain.