ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

SPDX-3-0

SPDX 3.0 SBOM profiles modulaires JSON-LD 2024.

Définition

SPDX 3.0 profiles : (1) Core : foundational concepts (Element, Identifier, Hash, ExternalRef). (2) Software : packages, files, snippets, licenses (SPDX License List 600+ licenses), relationships (DEPENDS_ON, DESCRIBES, CONTAINS, etc.). (3) Security : vulnerabilities + VEX (similar CycloneDX). (4) AI : AI/ML model bill of materials (AIBOM), datasets, model parameters, hyperparameters, biases. (5) Dataset : data lineage, ML training datasets metadata. (6) Build : build provenance (similar SLSA Provenance + CycloneDX Formulations). (7) Lite : lightweight subset for embedded systems. Serialization formats : JSON-LD (primary 3.0), RDF/Turtle, RDF/XML (vs SPDX 2.x JSON/YAML/XML/RDF/Tag-value). License List : ~600+ SPDX license identifiers (Apache-2.0, MIT, GPL-3.0, BSD-3-Clause, etc.) recognized standard. Adoption : Linux distributions historically (Debian dpkg includes SPDX) ~40% SBOM 2024, US Executive Order 14028 reference SPDX format, EU CRA SBOM SPDX or CycloneDX acceptable.

Origine

SPDX initiated 2010 par Linux Foundation ; SPDX 2.0 published 2015 ; SPDX 2.3 published 2022 ; ISO/IEC 5962:2021 standardized SPDX 2.2.1 ; SPDX 3.0 published avril 2024 ; ~40% SBOM 2024.

Exemple en contexte

Apache Tomcat 11 release : project Maven Build Plugin SPDX Maven Plugin generates SPDX 3.0 JSON-LD SBOM listing all dependencies (Java libraries Spring Framework 6, Hibernate, etc.), declared licenses Apache-2.0 + EPL-2.0 + MIT for dependencies, publishes SBOM alongside .tar.gz release artifacts.

Termes liés

Dernière mise à jour: 16 mai 2026