惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
aimingoo的专栏
aimingoo的专栏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
J
Java Code Geeks
博客园_首页
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
P
Palo Alto Networks Blog
V
Vulnerabilities – Threatpost
雷峰网
雷峰网
O
OpenAI News
SecWiki News
SecWiki News
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
N
News | PayPal Newsroom
Project Zero
Project Zero
Forbes - Security
Forbes - Security
IT之家
IT之家
A
Arctic Wolf
WordPress大学
WordPress大学
Jina AI
Jina AI
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
博客园 - 聂微东
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
Cloudbric
Cloudbric
G
GRAHAM CLULEY
博客园 - 叶小钗
H
Hacker News: Front Page
腾讯CDC
量子位
Help Net Security
Help Net Security
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
宝玉的分享
宝玉的分享
爱范儿
爱范儿
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
C
CERT Recently Published Vulnerability Notes

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
From SBOMs to AI BOMs: Why SPDX 3.0 Matters
Andrew Garrett · 2026-06-10 · via 2024 Sonatype Blog

Software bill of materials (SBOM) strategies are rapidly evolving. What began as a way to track open source components for compliance and vulnerability management is quickly expanding into something much larger: a broader effort to understand, secure, and govern modern software supply chains.

At the same time, organizations are increasingly adopting AI-powered applications and exploring Artificial Intelligence Bills of Materials (AI BOMs) — which extend software transparency practices to AI systems, datasets, models, and decision logic.

The challenge is that modern software ecosystems are far more complex than traditional package inventories alone.

Applications today depend on:

  • Cloud services

  • APIs

  • Containers

  • Build systems

  • CI/CD pipelines

  • AI/ML models

  • Deployment infrastructure

  • Security attestations and provenance data

Traditional SBOM models were never designed to represent this level of complexity.

That's exactly why SPDX 3.0 matters. It gives organizations a more flexible, extensible way to describe software, security, build, dataset, and AI-related metadata as part of a broader supply chain transparency strategy. And it's why Sonatype SBOM Manager now supports SPDX 3.0.

SBOMs Are Growing Beyond Package Inventories

Historically, most SBOMs focused on answering a single question: "What components are included in this application?"

That was an important first step for software transparency.

But organizations today increasingly need answers to much larger questions:

  • How was this software built?

  • What services does it depend on?

  • What relationships exist between artifacts?

  • What AI models are embedded?

  • What evidence proves integrity and provenance?

  • How does software move through the development lifecycle?

Traditional SBOM formats weren't designed to model this level of complexity. SPDX 3.0 addresses these emerging requirements by extending software transparency beyond package inventories and creating a foundation for both SBOM and AI BOM initiatives.

SPDX 3.0 Reduces Operational Complexity

One of the most practical advantages of SPDX 3.0 is that it simplifies how organizations manage software transparency data.

In earlier SPDX versions, VEX (Vulnerability Exploitability eXchange) information typically existed as a separate document that lived alongside the SBOM itself.

That created additional operational overhead such as more files to manage, more artifacts to track, more opportunity for version drift, and more complexity during audits or investigations.

SPDX 3.0 changes this model by allowing VEX information to be embedded directly within the SBOM.

Instead of managing multiple disconnected artifacts, organizations can maintain a more complete and unified software transparency record in a single document.

This creates several advantages:

  • Fewer documents to track and maintain.

  • Reduced management overhead.

  • Improved consistency between SBOM and vulnerability context.

  • Lower risk of operational errors.

  • Simpler downstream automation and governance workflows.

For enterprises managing thousands of applications and software artifacts, this consolidation can significantly streamline SBOM operations.

Why This Matters for Enterprises

For many organizations, software transparency requirements are accelerating faster than their tooling strategies.

Security teams are facing increased pressure around:

  • Supply chain attacks

  • Provenance verification

  • Regulatory compliance

  • Vendor risk management

  • Open source governance

  • Software integrity validation

  • AI risk management and auditability

At the same time, modern development environments are becoming increasingly distributed and dynamic.

Organizations need more than visibility into components. They need context. SPDX 3.0 helps provide that context by enabling richer representations of software relationships, provenance, security data, and emerging AI BOM metadata within a unified framework.

SPDX 3.0 Expands SBOMs into AI BOM Transparency

Another major evolution in SPDX 3.0 is support for AI and machine learning systems.

Earlier SBOM standards were not designed to represent AI-specific metadata in meaningful ways. As organizations increasingly adopt AI-powered applications and embedded models, that limitation becomes more significant.

SPDX 3.0 introduces support for AI-related metadata such as:

  • Hyperparameters

  • Fine-tuning information

  • Dataset references

  • Explainability metadata

  • Decision thresholds

  • Energy consumption metrics

This represents an important shift.

Organizations increasingly need visibility not just into which AI components are being used, but how they are being used, trained, tuned, and operationalized.

The level of transparency in AI BOMs is becoming increasingly important for AI governance, regulatory readiness, model risk management, responsible AI initiatives, and enterprise auditability. SPDX 3.0 gives organizations a path to bring AI systems into the same governance conversations already happening around software supply chain security.

"What's Inside?" to "How Does It All Connect?"

This is the fundamental shift enabled by SPDX 3.0.

  • Before: SBOMs answered, "What packages are present?"

  • Now: Organizations can understand how software systems are connected. This richer context strengthens incident response, provenance validation, audit readiness, governance, zero-trust initiatives, and AI transparency.

What SPDX 3.0 Means for Sonatype SBOM Manager

With SPDX 3.0 support, Sonatype SBOM Manager evolves beyond centralized SBOM ingestion and governance. It becomes a platform for operationalizing software supply chain intelligence.

Organizations can now begin managing richer software metadata across:

  • Development pipelines

  • Security workflows

  • Compliance processes

  • Vendor ecosystems

  • Software lifecycle governance initiatives

Importantly, this does not require abandoning existing SBOM investments.

Most enterprises will continue operating in heterogeneous environments with multiple standards and formats. Sonatype SBOM Manager helps normalize and operationalize those workflows while enabling organizations to prepare for the future of software transparency.

Why Organizations Should Start Preparing Now

SPDX 3.0 adoption will not happen overnight. But the direction of the industry is becoming increasingly clear. Software supply chain security is moving toward:

  • Richer provenance

  • Stronger attestations

  • Lifecycle traceability

  • Interoperable metadata ecosystems

  • Broader artifact representation

  • Evolving compliance requirements

The Next Step for SBOM and AI BOM Readiness

By supporting SPDX 3.0, Sonatype SBOM Manager helps organizations prepare for that next phase, which enables richer interoperability, deeper lifecycle visibility, and future-ready software supply chain intelligence.

As SBOMs expand to include AI systems, datasets, provenance, security evidence, and more complex relationships, organizations need tools that can help them manage that complexity without slowing development. Sonatype SBOM Manager gives teams a practical foundation for doing exactly that.

Tags

software bill of materials Supply Chain Intelligence SBOM SPDX artificial intelligence SBOM Manager AI sonatype intelligence