SPDX (Software Package Data Exchange)
Что такое SPDX (Software Package Data Exchange)?
SPDX (Software Package Data Exchange)A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
SPDX (Software Package Data Exchange) is an open BOM standard maintained by the Linux Foundation and ratified as ISO/IEC 5962 in 2021. It originated in 2010 to express software license information unambiguously across the supply chain and has since expanded to a full SBOM format covering components, relationships, file-level hashes, build metadata, security references, and AI/ML models (SPDX 3.0). SPDX SBOMs are typically serialized in JSON, YAML, RDF, or the original tag-value form. Together with CycloneDX, SPDX is one of the two formats explicitly named in U.S. CISA SBOM guidance and is the lingua franca of license compliance tooling — `fossology`, `scancode`, and most enterprise SCA platforms read and write it. SPDX 3.0, released in 2024, modularized the spec into profiles (Core, Software, Licensing, Security, Build, AI, Dataset), making it more competitive with CycloneDX for purely security-focused workflows.
● Примеры
- 01
A Linux distribution publishes per-package SPDX documents containing SHA-256 file hashes and resolved SPDX license identifiers.
- 02
An OSS project's release pipeline emits both SPDX 3.0 and CycloneDX SBOMs so customers can ingest whichever their tooling supports.
● Частые вопросы
Что такое SPDX (Software Package Data Exchange)?
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs. Относится к категории Безопасность приложений в кибербезопасности.
Что означает SPDX (Software Package Data Exchange)?
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
Как работает SPDX (Software Package Data Exchange)?
SPDX (Software Package Data Exchange) is an open BOM standard maintained by the Linux Foundation and ratified as ISO/IEC 5962 in 2021. It originated in 2010 to express software license information unambiguously across the supply chain and has since expanded to a full SBOM format covering components, relationships, file-level hashes, build metadata, security references, and AI/ML models (SPDX 3.0). SPDX SBOMs are typically serialized in JSON, YAML, RDF, or the original tag-value form. Together with CycloneDX, SPDX is one of the two formats explicitly named in U.S. CISA SBOM guidance and is the lingua franca of license compliance tooling — `fossology`, `scancode`, and most enterprise SCA platforms read and write it. SPDX 3.0, released in 2024, modularized the spec into profiles (Core, Software, Licensing, Security, Build, AI, Dataset), making it more competitive with CycloneDX for purely security-focused workflows.
Как защититься от SPDX (Software Package Data Exchange)?
Защита от SPDX (Software Package Data Exchange) обычно сочетает технические меры и операционные практики, как описано в определении выше.
Какие есть другие названия SPDX (Software Package Data Exchange)?
Распространённые альтернативные названия: Software Package Data Exchange, ISO/IEC 5962.
● Связанные термины
- appsec№ 1185
Software Bill of Materials (SBOM)
Формальный машиночитаемый перечень компонентов, библиотек и зависимостей, образующих программное обеспечение, с указанием версий и их связей.
- appsec№ 297
CycloneDX
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
- appsec№ 1328
VEX (Vulnerability Exploitability eXchange)
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
- appsec№ 1186
Безопасность цепочки поставок ПО
Дисциплина защиты каждого звена производства ПО — исходного кода, зависимостей, сборки, подписи, дистрибуции и деплоя — от вмешательства, вредоносного кода и потери целостности.
- ai-security№ 029
AI Bill of Materials (AIBOM)
Машиночитаемый перечень всех компонентов ИИ-системы — датасетов, базовых моделей, данных дообучения, библиотек, промптов и оценочных артефактов — используемый для безопасности, соответствия и подотчётности.
- appsec№ 1082
SCA (Software Composition Analysis)
Автоматический анализ open-source и сторонних компонентов приложения для выявления известных уязвимостей, лицензионных рисков и устаревших или опасных зависимостей.