Safeguard
Tag

spdx

Safeguard articles tagged "spdx" — guides, analysis, and best practices for software supply chain and application security.

52 articles

Supply Chain Security

Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle

CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.

Jul 12, 20266 min read
Open Source Security

Building an Open-Source License Compliance Program That Flags Copyleft Risk in CI

Software Freedom Conservancy's suit against Vizio is headed to trial in August 2026 — proof that copyleft violations are litigated, not theoretical.

Jul 10, 20266 min read
Compliance

The 2026 SBOM compliance guide: where a software bill of materials is now required

SBOM requirements have spread from a single US executive order to regulations across sectors and continents. Here's a framework-by-framework map of where you need one in 2026.

Jul 8, 20265 min read
Supply Chain Security

Generating a CycloneDX/SPDX SBOM for a Node.js Application

npm has shipped a native `npm sbom` command since v9 — but a real supply chain program needs more than the CLI default. Here's how to do it right.

Jul 8, 20266 min read
Supply Chain Security

SBOM adoption: generating, distributing, and consuming SBOMs to cut supply chain risk

Four years after EO 14028, most SBOMs still sit unread in a folder. Here's how to generate, ship, and actually query one before the next Log4Shell.

Jul 8, 20266 min read
FAQ

Best SBOM Tools (2026): An Honest FAQ

A balanced 2026 FAQ on the best SBOM tools — how Syft, Trivy, Dependency-Track, Sonatype, Black Duck, and Safeguard compare, and when a generator is enough versus a platform.

Jul 5, 20266 min read
FAQ

Open Source License Compliance: Frequently Asked Questions

A clear FAQ on open-source license compliance in 2026 — permissive vs copyleft, SPDX identifiers, AGPL and SaaS, attribution obligations, license changes, and automated scanning.

Jul 5, 20266 min read
Concepts

Understanding SBOM Formats

A software bill of materials is only useful if tools can read it. Two standards dominate — SPDX and CycloneDX — and knowing what each captures, how they differ, and when to use which is the difference between an inventory that works and one that gathers dust.

Jul 3, 20266 min read
FAQ

SBOM (Software Bill of Materials): Frequently Asked Questions

A clear FAQ on software bills of materials in 2026 — what an SBOM is, SPDX vs CycloneDX, NTIA minimum elements, VEX, signing, and how to keep an SBOM continuously accurate.

Jul 2, 20266 min read
Tutorials

How to Generate an SBOM: A Step-by-Step Guide

Produce a spec-compliant CycloneDX or SPDX software bill of materials from any repository in minutes, validate it, and attach it to a release — with real commands you can run today.

Jul 1, 20266 min read
Software Supply Chain Security

SBOM export in GitHub: generating a software bill of mate...

GitHub lets you export an SPDX SBOM in two clicks, but the file only reflects what its dependency graph can see. Here's what's missing and how Safeguard fills it.

Jun 28, 20266 min read
Buyer's Guides

Best SBOM Tools in 2026: Generation, Management, and Compliance Compared

An honest guide to the best SBOM tools in 2026 — from open-source generators like Syft and Trivy to full SBOM management and AIBOM platforms — with clear guidance on which to use for generation, analysis, and compliance.

Jun 24, 20265 min read
spdx — Safeguard Blog