SPDX (Software Package Data Exchange)
SPDX (Software Package Data Exchange) 是什么?
SPDX (Software Package Data Exchange)A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
SPDX (Software Package Data Exchange) is an open BOM standard maintained by the Linux Foundation and ratified as ISO/IEC 5962 in 2021. It originated in 2010 to express software license information unambiguously across the supply chain and has since expanded to a full SBOM format covering components, relationships, file-level hashes, build metadata, security references, and AI/ML models (SPDX 3.0). SPDX SBOMs are typically serialized in JSON, YAML, RDF, or the original tag-value form. Together with CycloneDX, SPDX is one of the two formats explicitly named in U.S. CISA SBOM guidance and is the lingua franca of license compliance tooling — `fossology`, `scancode`, and most enterprise SCA platforms read and write it. SPDX 3.0, released in 2024, modularized the spec into profiles (Core, Software, Licensing, Security, Build, AI, Dataset), making it more competitive with CycloneDX for purely security-focused workflows.
● 示例
- 01
A Linux distribution publishes per-package SPDX documents containing SHA-256 file hashes and resolved SPDX license identifiers.
- 02
An OSS project's release pipeline emits both SPDX 3.0 and CycloneDX SBOMs so customers can ingest whichever their tooling supports.
● 常见问题
SPDX (Software Package Data Exchange) 是什么?
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs. 它属于网络安全的 应用安全 分类。
SPDX (Software Package Data Exchange) 是什么意思?
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
SPDX (Software Package Data Exchange) 是如何工作的?
SPDX (Software Package Data Exchange) is an open BOM standard maintained by the Linux Foundation and ratified as ISO/IEC 5962 in 2021. It originated in 2010 to express software license information unambiguously across the supply chain and has since expanded to a full SBOM format covering components, relationships, file-level hashes, build metadata, security references, and AI/ML models (SPDX 3.0). SPDX SBOMs are typically serialized in JSON, YAML, RDF, or the original tag-value form. Together with CycloneDX, SPDX is one of the two formats explicitly named in U.S. CISA SBOM guidance and is the lingua franca of license compliance tooling — `fossology`, `scancode`, and most enterprise SCA platforms read and write it. SPDX 3.0, released in 2024, modularized the spec into profiles (Core, Software, Licensing, Security, Build, AI, Dataset), making it more competitive with CycloneDX for purely security-focused workflows.
如何防御 SPDX (Software Package Data Exchange)?
针对 SPDX (Software Package Data Exchange) 的防御通常结合技术控制与运营实践,详见上方完整定义。
SPDX (Software Package Data Exchange) 还有哪些其他名称?
常见的别称包括: Software Package Data Exchange, ISO/IEC 5962。
● 相关术语
- appsec№ 1185
软件物料清单(SBOM)
以机器可读形式正式描述构成一款软件的组件、库与依赖项及其版本与关系的清单。
- appsec№ 297
CycloneDX
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
- appsec№ 1328
VEX (Vulnerability Exploitability eXchange)
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
- appsec№ 1186
软件供应链安全
保护软件生产链中每一个环节——源代码、依赖、构建、签名、分发与部署——使其免受篡改、恶意代码与完整性破坏的学科。
- ai-security№ 029
AI 物料清单(AIBOM)
对构成 AI 系统的每一项组件——数据集、基础模型、微调数据、依赖库、提示与评估制品——的机读清单,用于安全、合规与问责。
- appsec№ 1082
SCA(软件成分分析)
对应用使用的开源与第三方组件进行自动化分析,识别已知漏洞、许可证风险以及过时或高风险依赖。