We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

SPDX 3.0

Quick Take: SPDX 3.0 Release

The SPDX community, in collaboration with the Linux Foundation, recently released SPDX 3.0, marking a significant milestone in the Software Bill of Materials (SBOM) communication format.

What is SPDX?

SPDX (Software Package Data Exchange) is a standardized format used to create, share, and manage Software Bills of Materials (SBOMs). An SBOM is a detailed inventory of all the components within a software product, including third-party software, open-source libraries, licenses, and other dependencies.

SPDX aims to improve software supply chain transparency, compliance, and security. By providing a consistent and structured way to communicate the composition of software packages, SPDX helps organizations track and manage the various components, understand their licensing obligations, and ensure security and compliance.

SPDX is published as an ISO/IEC 5962:2021 standard, underscoring its wide acceptance and adherence to quality requirements. The format is commonly used by software developers, security professionals, legal experts, and organizations involved in software development and distribution.

SPDX 3.0

SPDX 3.0 provides a comprehensive set of updates, including an overhauled model, specification, and license list and the addition of SPDX profiles designed to handle modern system use cases. This release improves the versatility and adaptability of the SBOM format.

SPDX 3.0’s standout feature is the addition of profiles, which provide subsets of information tailored for specific use cases such as security, software build attestation, precise licensing, AI model training and characterization, and data set provenance.

The profiles act as gateways, allowing organizations to quickly adopt and adapt the format to meet their unique needs, facilitating easier compliance and improved software package management.

The profiles in SPDX 3.0 cater to a wide range of users, from developers to security engineers, data scientists, and legal professionals. The profiles streamline the process of creating, sharing, and analyzing SBOMs, providing ready-to-use templates that can be customized to fit specific scenarios. This addition greatly enhances SPDX’s versatility and adaptability, ensuring it remains relevant across a diverse spectrum of system configurations and use cases.

As a freely available ISO/IEC 5962:2021 standard, SPDX 3.0 meets the stringent quality requirements set by ISO. The new version brings a complete overhaul of its core assets and will be submitted to ISO as an update. The model, specification, and low-level tools have been upgraded to keep pace with the evolving demands of the software industry.

With this new release, organizations using SPDX will benefit from enhanced software package management, improved compliance with licensing obligations, streamlined security practices, and optimized software build processes. The profiles offer ready-to-use templates, enabling developers, security engineers, data scientists, and legal professionals to use SPDX efficiently for their specific needs.

Analysis

The release of SPDX 3.0 is a significant step toward enhancing software supply chain management. By offering a standardized, flexible, and adaptable SBOM format, SPDX 3.0 empowers organizations to navigate the complexities of software development with confidence.

Its emphasis on security, compliance, and efficiency ensures that SPDX 3.0 is well-positioned to drive the future of software package management, paving the way for greater transparency and risk mitigation in software supply chains.

Related Research

Picture of Steve McDowell

Steve McDowell

Steve McDowell is Principal Analyst and founder of NAND Research. Steve covers all things enterprise infrastructure, with a particular emphasis on data and storage .

Disclosure: The author is an industry analyst, and NAND Research an industry analyst firm, that engages in, or has engaged in, research, analysis, and advisory services with many technology companies, which may include those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

© 2025 All rights reserved