The SPDX community, in collaboration with the Linux Foundation, recently released SPDX 3.0, marking a significant milestone in the Software Bill of Materials (SBOM) communication format.

What is SPDX?

SPDX (Software Package Data Exchange) is a standardized format used to create, share, and manage Software Bills of Materials (SBOMs). An SBOM is a detailed inventory of all the components within a software product, including third-party software, open-source libraries, licenses, and other dependencies.

SPDX aims to improve software supply chain transparency, compliance, and security. By providing a consistent and structured way to communicate the composition of software packages, SPDX helps organizations track and manage the various components, understand their licensing obligations, and ensure security and compliance.

SPDX is published as an ISO/IEC 5962:2021 standard, underscoring its wide acceptance and adherence to quality requirements. The format is commonly used by software developers, security professionals, legal experts, and organizations involved in software development and distribution.

SPDX 3.0

SPDX 3.0 provides a comprehensive set of updates, including an overhauled model, specification, and license list and the addition of SPDX profiles designed to handle modern system use cases. This release improves the versatility and adaptability of the SBOM format.

SPDX 3.0’s standout feature is the addition of profiles, which provide subsets of information tailored for specific use cases such as security, software build attestation, precise licensing, AI model training and characterization, and data set provenance.

The profiles act as gateways, allowing organizations to quickly adopt and adapt the format to meet their unique needs, facilitating easier compliance and improved software package management.

The profiles in SPDX 3.0 cater to a wide range of users, from developers to security engineers, data scientists, and legal professionals. The profiles streamline the process of creating, sharing, and analyzing SBOMs, providing ready-to-use templates that can be customized to fit specific scenarios. This addition greatly enhances SPDX’s versatility and adaptability, ensuring it remains relevant across a diverse spectrum of system configurations and use cases.

As a freely available ISO/IEC 5962:2021 standard, SPDX 3.0 meets the stringent quality requirements set by ISO. The new version brings a complete overhaul of its core assets and will be submitted to ISO as an update. The model, specification, and low-level tools have been upgraded to keep pace with the evolving demands of the software industry.

With this new release, organizations using SPDX will benefit from enhanced software package management, improved compliance with licensing obligations, streamlined security practices, and optimized software build processes. The profiles offer ready-to-use templates, enabling developers, security engineers, data scientists, and legal professionals to use SPDX efficiently for their specific needs.

Analysis

The release of SPDX 3.0 is a significant step toward enhancing software supply chain management. By offering a standardized, flexible, and adaptable SBOM format, SPDX 3.0 empowers organizations to navigate the complexities of software development with confidence.

Its emphasis on security, compliance, and efficiency ensures that SPDX 3.0 is well-positioned to drive the future of software package management, paving the way for greater transparency and risk mitigation in software supply chains.