SPDX-3-0
SPDX 3.0 SBOM profiles modulaires JSON-LD 2024.
Définition
SPDX 3.0 profiles : (1) Core : foundational concepts (Element, Identifier, Hash, ExternalRef). (2) Software : packages, files, snippets, licenses (SPDX License List 600+ licenses), relationships (DEPENDS_ON, DESCRIBES, CONTAINS, etc.). (3) Security : vulnerabilities + VEX (similar CycloneDX). (4) AI : AI/ML model bill of materials (AIBOM), datasets, model parameters, hyperparameters, biases. (5) Dataset : data lineage, ML training datasets metadata. (6) Build : build provenance (similar SLSA Provenance + CycloneDX Formulations). (7) Lite : lightweight subset for embedded systems. Serialization formats : JSON-LD (primary 3.0), RDF/Turtle, RDF/XML (vs SPDX 2.x JSON/YAML/XML/RDF/Tag-value). License List : ~600+ SPDX license identifiers (Apache-2.0, MIT, GPL-3.0, BSD-3-Clause, etc.) recognized standard. Adoption : Linux distributions historically (Debian dpkg includes SPDX) ~40% SBOM 2024, US Executive Order 14028 reference SPDX format, EU CRA SBOM SPDX or CycloneDX acceptable.
Origine
SPDX initiated 2010 par Linux Foundation ; SPDX 2.0 published 2015 ; SPDX 2.3 published 2022 ; ISO/IEC 5962:2021 standardized SPDX 2.2.1 ; SPDX 3.0 published avril 2024 ; ~40% SBOM 2024.
Exemple en contexte
Apache Tomcat 11 release : project Maven Build Plugin SPDX Maven Plugin generates SPDX 3.0 JSON-LD SBOM listing all dependencies (Java libraries Spring Framework 6, Hibernate, etc.), declared licenses Apache-2.0 + EPL-2.0 + MIT for dependencies, publishes SBOM alongside .tar.gz release artifacts.
Termes liés
- CycloneDX — format SBOM concurrent.