concept

SPDX

Also known as: Software Package Data Exchange, Software Package Data eXchange, SPDX 2.3

Facts (16)

Sources

bureado/awesome-software-supply-chain-security - GitHub github.com GitHub 11 facts

referenceVXDF (Validated Exploitable Data Flow) is an open security standard for documenting confirmed vulnerabilities with structured evidence of exploitability, utilizing JSON Schema with 33 evidence types and interoperability with SARIF, SPDX, CWE, and CVSS.

referenceREUSE is a tool used to check and annotate source files with SPDX license identifiers to make license and copyright information machine-readable.

referenceguacsec/trustify provides a searchable abstraction over CycloneDX and SPDX SBOMs, cross-referencing them against security advisories to identify vulnerabilities.

claimThe spdx/spdx-to-osv tool is designed to produce an Open Source Vulnerability (OSV) JSON file based on information contained within an SPDX document.

referenceThe 'Trusera/ai-bom' project is an AI Bill of Materials generator for agent workflows that scans n8n, LangGraph, and CrewAI workflows to identify AI components and generate SBOM output in CycloneDX and SPDX formats.

claimSbomify is an SBOM platform that supports attestation verification using Sigstore and GitHub attestations, SPDX 2.3 export, product lifecycle management, and compliance tracking.

claimSoftwareDesignLab/SBOM-in-a-Box is a unified platform for SBOM generation using integrated open source tools, conversion between SPDX and CycloneDX formats, VEX generation, quality metrics, and comparison and merging.

referenceEclipse SW360 is an open source software component catalogue designed for managing software components, licenses, and compliance with support for Software Package Data Exchange (SPDX).

claimThe philips-software/SPDXMerge tool merges multiple SPDX JSON or Tag-value SBOMs into a parent SBOM, supporting deep merge (consolidate contents) and shallow merge (create references) with GitHub Action and Docker support.

referenceThe FOSDEM 2024 presentation 'How to make SPDX industry standard for AI/ML' discusses extending SPDX 3.0 adoption to AI/ML communities, specifically covering SBOMs for data and data pipelines.

referenceThe 'cyfinoid/aibommaker' project is a client-side web tool that analyzes GitHub repositories for AI/LLM usage and generates AI Bills of Materials (AIBOMs) in CycloneDX 1.7 and SPDX 3.0.1 formats, including detection of hardware, infrastructure, and governance components.

Open source software best practices and supply chain risk ... - GOV.UK gov.uk Department for Science, Innovation and Technology Mar 3, 2025 4 facts

claimSPDX and CycloneDX are the two primary formats for a Software Bill of Materials (SBOM).

referenceSPDX (Software Package Data Exchange) is an open standard developed by the Linux Foundation to communicate SBOM details, including components, licenses, copyrights, and security references, and is recognized internationally as ISO/IEC 5962:2021.

claimThe data formats used to generate and consume SBOMs include Software Package Data eXchange (SPDX), CycloneDX, and Software Identification (SWID) tags.

claimSPDX and CycloneDX are the two primary standards for Software Bill of Materials (SBOMs).

Open Source Licensing Explained: A Comprehensive Guide - TuxCare tuxcare.com TuxCare Oct 21, 2024 1 fact

referenceTools such as SPDX (Software Package Data Exchange) and FOSSology help organizations identify potential licensing issues, track compliance efforts, and mitigate legal risks associated with open source software.