Safeguard
Tag

spdx

Safeguard articles tagged "spdx" — guides, analysis, and best practices for software supply chain and application security.

52 articles

Tools

Best SBOM Generators Ranked by Accuracy 2026

Syft, Trivy, cdxgen, and Microsoft sbom-tool measured against known dependency ground truth across four ecosystems. The accuracy spread is wider than you think.

Feb 9, 20266 min read
Open Source Security

What is a Software License

A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.

Feb 9, 20269 min read
Best Practices

FAQ: CycloneDX vs SPDX — Which to Use?

Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.

Feb 4, 20266 min read
Industry Analysis

State of SBOM Adoption Across Industries 2026

How SBOM adoption differs across finance, healthcare, public sector, manufacturing, and tech in 2026, where the real operational usage is, and where it stalls.

Jan 30, 20268 min read
Software Supply Chain Security

AI BOM Spec Comparison: CycloneDX ML-BOM in 2026

AI bills of materials moved from proposal to procurement requirement. A practical comparison of CycloneDX ML-BOM, SPDX 3.0 AI profile, and what to ship in 2026.

Jan 29, 20266 min read
SBOM

SBOM Distribution Patterns: TEA, VEX, and the Last Mile in 2026

How SBOMs actually move between producers and consumers in 2026, what TEA and VEX are solving, and the distribution patterns that hold up in production.

Jan 22, 20265 min read
Buyer's Guides

Best open source SBOM generation tools

A practical, no-hype comparison of open source SBOM generation tools — Syft, Trivy, cdxgen, Microsoft sbom-tool, SPDX Tools, and Tern — plus what to check before you pick one.

Nov 19, 20258 min read
AI Security

SPDX 3.0 AI Profile: Building an AIBOM in Practice

SPDX 3.0 was published in March 2025 with a dedicated AI profile and a Dataset profile. We walk through how to produce a defensible AIBOM in SPDX format alongside or in place of CycloneDX.

Sep 18, 20257 min read
SBOM

SBOM Interoperability: Bridging CycloneDX and SPDX

Your suppliers send SPDX. Your tools expect CycloneDX. Interoperability between SBOM formats is a real operational challenge. Here is how to solve it.

Sep 10, 20256 min read
Supply Chain

What Is a Software Ingredient Label?

Food gets an ingredient panel; software gets an SBOM. What a software ingredient label contains, who is demanding one, and how to generate yours automatically.

Sep 9, 20256 min read
SBOM

How Snyk Container generates a Software Bill of Materials...

How Snyk Container statically scans image layers, parses OS package databases and lockfiles, and exports CycloneDX/SPDX SBOMs — mechanically explained.

Sep 5, 20257 min read
Buyer's Guides

SBOM Format Wars: CycloneDX vs SPDX in Practice

CycloneDX and SPDX both claim to be "the" SBOM standard. Here's where they actually diverge on VEX support, license compliance, and government mandates — and which to pick.

Jul 30, 20257 min read
spdx (Page 3) — Safeguard Blog