The Linux Foundation Projects
Skip to main content

News & Announcements

Jul 9, 2024

Linux Foundation announces SPDX 3.0

In case you missed it, the Linux Foundation excitedly announced the latest version of SPDX. It's a great summary of the cool new architecture, use cases and features.    

Nov 6, 2023

Capturing Software Vulnerability Data in SPDX 3.0

The flexibility of SPDX 3.0 allows users to either link SBOMs to external security vulnerability data or to embed security vulnerability information in the SPDX 3.0 data format, thanks to support for a security-specific profile. This is different from SPDX version 2, which enabled users to link an SBOM to…

Oct 9, 2023

Understanding SPDX Profiles

On the surface, profiles are pretty straight forward - they are a way of organizing a specification that covers a broad array of use cases into “profiles” more specific to what a specific producer or consumer of SPDX data may be interested in. 

Aug 9, 2023

Deciphering VEX and SPDX: A Deep Dive into Software Vulnerability Analysis and Reporting

In an enlightening YouTube presentation, Adolfo delved into the fascinating world of VEX and SPDX, detailing the implications of software vulnerabilities and how these can be tracked, assessed, and communicated. Understanding this process is pivotal for tech enthusiasts, software developers, and cybersecurity professionals, as it aids in managing software vulnerabilities…

Aug 2, 2023

A Step-by-Step Guide to Signing an SPDX SBOM with Sigstore’s Cosign

This post was written with the inestimable help of Luke Hinds of the Sigstore community who heped review it and edit it. As software supply chain security becomes increasingly important, organizations are looking for robust methods to verify the integrity and authenticity of their software components. One such approach is the…