ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

SPDX-3-0

SPDX 3.0 SBOM modular profiles JSON-LD 2024.

Definition

SPDX 3.0 profiles: (1) Core: foundational concepts (Element, Identifier, Hash, ExternalRef). (2) Software: packages, files, snippets, licenses (SPDX License List 600+ licenses), relationships (DEPENDS_ON, DESCRIBES, CONTAINS, etc.). (3) Security: vulnerabilities + VEX (similar CycloneDX). (4) AI: AI/ML model bill of materials (AIBOM), datasets, model parameters, hyperparameters, biases. (5) Dataset: data lineage, ML training datasets metadata. (6) Build: build provenance (similar SLSA Provenance + CycloneDX Formulations). (7) Lite: lightweight subset for embedded systems. Serialization formats: JSON-LD (primary 3.0), RDF/Turtle, RDF/XML (vs SPDX 2.x JSON/YAML/XML/RDF/Tag-value). License List: ~600+ SPDX license identifiers (Apache-2.0, MIT, GPL-3.0, BSD-3-Clause, etc.) recognized standard. Adoption: Linux distributions historically (Debian dpkg includes SPDX) ~40% SBOM 2024, US Executive Order 14028 reference SPDX format, EU CRA SBOM SPDX or CycloneDX acceptable.

Origin

SPDX initiated 2010 by Linux Foundation ; SPDX 2.0 published 2015 ; SPDX 2.3 published 2022 ; ISO/IEC 5962:2021 standardized SPDX 2.2.1 ; SPDX 3.0 published April 2024 ; ~40% SBOM 2024.

Example in context

Apache Tomcat 11 release: project Maven Build Plugin SPDX Maven Plugin generates SPDX 3.0 JSON-LD SBOM listing all dependencies (Java libraries Spring Framework 6, Hibernate, etc.), declared licenses Apache-2.0 + EPL-2.0 + MIT for dependencies, publishes SBOM alongside .tar.gz release artifacts.

Last updated: May 16, 2026