SPDX 3.0 Revolutionizes Software Management in Systems with Enhanced Functionality and Streamlined Use Cases

Version 3.0 marks a significant advancement in the world's most widely used Software Bill of Materials (SBOM) communication format.

SEATTLE, April 16, 2024 /PRNewswire/ -- The SPDX community, in collaboration with the Linux Foundation, is thrilled to announce the release of SPDX 3.0. This milestone marks a significant advancement in the world's most widely used Software Bill of Materials (SBOM) communication format. SPDX 3.0 introduces a comprehensive set of updates, encompassing the model, specification, and license list, with the new addition of SPDX profiles to handle modern system use cases.

SPDX, published as a freely available ISO/IEC 5962:2021 standard, ensures that its governance adheres to the stringent quality requirements set by ISO. Version 3.0 of SPDX brings a complete overhaul of its core assets and will be submitted to ISO as an update. The model, spec, license list, and low-level tools have been upgraded to meet the evolving demands of the software industry. One of the most important features of SPDX 3.0 is the introduction of profiles, which serve as gateways, facilitating easy use of SPDX for specific use cases.

SPDX profiles offer a subset of information tailored for the most popular use cases, including security, software build attestation, precise licensing, AI model training and characterization, data set provenance, and more. This new addition improves the way SPDX is utilized, ensuring that it remains versatile and adaptable across a wide spectrum of system scenarios. Organizations leveraging SPDX will experience enhanced software package management, improved compliance with licensing obligations, streamlined security practices, and optimized software build processes. The profiles within SPDX 3.0 provide ready-to-use templates, empowering developers, security engineers, data scientists and legal professionals to leverage SPDX effortlessly for their specific use cases.

The development process of SPDX 3.0 has been community-driven, involving key industry experts, organizations, and open-source enthusiasts. The result is a convenient, user-centric SBOM format that caters to the diverse needs of the software ecosystem. By embracing SPDX 3.0, enterprises can confidently navigate the complex landscape of software supply chain management, ensuring transparency, security, and compliance throughout the development lifecycle. The standardized approach of SPDX empowers organizations to mitigate risks, build trust, and demonstrate their commitment to industry best practices.

SPDX continues to drive the future of software package management with SPDX 3.0. To learn more about SPDX and its new features, including how to get involved and participate in the community, please visit the official SPDX website.

View the full press release with supporting quotes.

About the Linux Foundation 

The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

Media Contact

Noah Lehman

The Linux Foundation

[email protected] 

SOURCE The Linux Foundation