Safeguard
Tag

spdx

Safeguard articles tagged "spdx" — guides, analysis, and best practices for software supply chain and application security.

52 articles

Supply Chain

SBOM File Formats, Explained

An SBOM file is only useful if the tools reading it agree on its structure — here's what CycloneDX, SPDX, and SWID actually look like and when each one fits.

Mar 18, 20255 min read
Supply Chain

SBOM Example: Reading a Real CycloneDX and SPDX Document

One component, two formats: a field-by-field walkthrough of a real CycloneDX and SPDX SBOM — purls, licenses, hashes, dependency graphs, and how to validate your own.

Mar 18, 20256 min read
Standards

SPDX 3.0.1: The Patch Release That Cleared ISO and OMG Submission

SPDX 3.0.1 was announced on December 27, 2024, bundling fixes from 3.0.0 implementation and the edits required for OMG SPDX/3.0 and ISO/IEC submission.

Jan 8, 20255 min read
SBOM & Compliance

Java SBOM Generation Tools Compared

Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their own output. A head-to-head.

Dec 5, 20245 min read
SBOM & Compliance

SBOM Quality Benchmarking: What We Found in 2024

We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised and we have the numbers.

Nov 8, 20245 min read
Comparisons

CycloneDX vs SPDX in Practice: Choosing an SBOM Format

Both formats are standards, both are mandated somewhere, and your tooling probably emits both. What actually differs when you run CycloneDX and SPDX in production.

Oct 23, 20246 min read
Engineering

CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them

The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and lets you query and export in either format.

Oct 15, 20247 min read
Concepts

What is an SBOM Drift

SBOM drift is the gap between what your software bill of materials claims and what the artifact actually contains. Here's how it happens and how to detect it with a diff.

Oct 8, 20247 min read
SBOM & Compliance

Medical Device SBOM Requirements in Practice

SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.

Apr 25, 20247 min read
SBOM Standards

SPDX 3.0: What Changed and Why It Matters

SPDX 3.0 is a major overhaul of the ISO-standard SBOM format. Here is a practical breakdown of the new profile system, linking model, and what it means for adoption.

Apr 15, 20246 min read
DevSecOps

SBOM Tooling Landscape in 2023: What Actually Works

The SBOM tooling ecosystem has matured significantly, but choosing the right tools still requires understanding the tradeoffs between formats, generators, and analysis platforms.

Sep 15, 20235 min read
Tool Reviews

Anchore Syft: The Go-To Open Source SBOM Generator

A thorough review of Anchore's Syft SBOM generation tool, covering supported formats, language ecosystems, container scanning, and integration patterns.

Jun 8, 20236 min read
spdx (Page 4) — Safeguard Blog