The Linux Foundation Projects
Skip to main content

News & Announcements

Nov 6, 2023

Capturing Software Vulnerability Data in SPDX 3.0

The flexibility of SPDX 3.0 allows users to either link SBOMs to external security vulnerability data or to embed security vulnerability information in the SPDX 3.0 data format, thanks to support for a security-specific profile. This is different from SPDX version 2, which enabled users to link an SBOM to…

Oct 9, 2023

Understanding SPDX Profiles

On the surface, profiles are pretty straight forward - they are a way of organizing a specification that covers a broad array of use cases into “profiles” more specific to what a specific producer or consumer of SPDX data may be interested in. 

Aug 9, 2023

Deciphering VEX and SPDX: A Deep Dive into Software Vulnerability Analysis and Reporting

In an enlightening YouTube presentation, Adolfo delved into the fascinating world of VEX and SPDX, detailing the implications of software vulnerabilities and how these can be tracked, assessed, and communicated. Understanding this process is pivotal for tech enthusiasts, software developers, and cybersecurity professionals, as it aids in managing software vulnerabilities…

Aug 2, 2023

A Step-by-Step Guide to Signing an SPDX SBOM with Sigstore’s Cosign

This post was written with the inestimable help of Luke Hinds of the Sigstore community who heped review it and edit it. As software supply chain security becomes increasingly important, organizations are looking for robust methods to verify the integrity and authenticity of their software components. One such approach is the…

Jul 25, 2023

Leveraging Profiles for License Compliance: Insights from SPDX Mini Summit

The SPDX Mini Summit, held at the Open Source Summit North America 2023, brought together industry experts to discuss the latest developments in open software at large. The focus of this year’s session though, was software supply chain. The SPDX mini summit was thus one of the highlights of the…