spdx
Safeguard articles tagged "spdx" — guides, analysis, and best practices for software supply chain and application security.
52 articles
Best SBOM Generators Ranked by Accuracy 2026
Syft, Trivy, cdxgen, and Microsoft sbom-tool measured against known dependency ground truth across four ecosystems. The accuracy spread is wider than you think.
What is a Software License
A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.
FAQ: CycloneDX vs SPDX — Which to Use?
Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.
State of SBOM Adoption Across Industries 2026
How SBOM adoption differs across finance, healthcare, public sector, manufacturing, and tech in 2026, where the real operational usage is, and where it stalls.
AI BOM Spec Comparison: CycloneDX ML-BOM in 2026
AI bills of materials moved from proposal to procurement requirement. A practical comparison of CycloneDX ML-BOM, SPDX 3.0 AI profile, and what to ship in 2026.
SBOM Distribution Patterns: TEA, VEX, and the Last Mile in 2026
How SBOMs actually move between producers and consumers in 2026, what TEA and VEX are solving, and the distribution patterns that hold up in production.
Best open source SBOM generation tools
A practical, no-hype comparison of open source SBOM generation tools — Syft, Trivy, cdxgen, Microsoft sbom-tool, SPDX Tools, and Tern — plus what to check before you pick one.
SPDX 3.0 AI Profile: Building an AIBOM in Practice
SPDX 3.0 was published in March 2025 with a dedicated AI profile and a Dataset profile. We walk through how to produce a defensible AIBOM in SPDX format alongside or in place of CycloneDX.
SBOM Interoperability: Bridging CycloneDX and SPDX
Your suppliers send SPDX. Your tools expect CycloneDX. Interoperability between SBOM formats is a real operational challenge. Here is how to solve it.
What Is a Software Ingredient Label?
Food gets an ingredient panel; software gets an SBOM. What a software ingredient label contains, who is demanding one, and how to generate yours automatically.
How Snyk Container generates a Software Bill of Materials...
How Snyk Container statically scans image layers, parses OS package databases and lockfiles, and exports CycloneDX/SPDX SBOMs — mechanically explained.
SBOM Format Wars: CycloneDX vs SPDX in Practice
CycloneDX and SPDX both claim to be "the" SBOM standard. Here's where they actually diverge on VEX support, license compliance, and government mandates — and which to pick.