spdx
Safeguard articles tagged "spdx" — guides, analysis, and best practices for software supply chain and application security.
52 articles
SBOM File Formats, Explained
An SBOM file is only useful if the tools reading it agree on its structure — here's what CycloneDX, SPDX, and SWID actually look like and when each one fits.
SBOM Example: Reading a Real CycloneDX and SPDX Document
One component, two formats: a field-by-field walkthrough of a real CycloneDX and SPDX SBOM — purls, licenses, hashes, dependency graphs, and how to validate your own.
SPDX 3.0.1: The Patch Release That Cleared ISO and OMG Submission
SPDX 3.0.1 was announced on December 27, 2024, bundling fixes from 3.0.0 implementation and the edits required for OMG SPDX/3.0 and ISO/IEC submission.
Java SBOM Generation Tools Compared
Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their own output. A head-to-head.
SBOM Quality Benchmarking: What We Found in 2024
We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised and we have the numbers.
CycloneDX vs SPDX in Practice: Choosing an SBOM Format
Both formats are standards, both are mandated somewhere, and your tooling probably emits both. What actually differs when you run CycloneDX and SPDX in production.
CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them
The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and lets you query and export in either format.
What is an SBOM Drift
SBOM drift is the gap between what your software bill of materials claims and what the artifact actually contains. Here's how it happens and how to detect it with a diff.
Medical Device SBOM Requirements in Practice
SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.
SPDX 3.0: What Changed and Why It Matters
SPDX 3.0 is a major overhaul of the ISO-standard SBOM format. Here is a practical breakdown of the new profile system, linking model, and what it means for adoption.
SBOM Tooling Landscape in 2023: What Actually Works
The SBOM tooling ecosystem has matured significantly, but choosing the right tools still requires understanding the tradeoffs between formats, generators, and analysis platforms.
Anchore Syft: The Go-To Open Source SBOM Generator
A thorough review of Anchore's Syft SBOM generation tool, covering supported formats, language ecosystems, container scanning, and integration patterns.