SPDX 3.0 data fields

SPDX 3.0 is the latest version of the System Package Data Exchange specification, which standardizes the way software bill of materials (SBOM) information is communicated. Black Duck supports SBOMs in SPDX 3.0 format, providing detailed metadata for software packages, components, and associated security data.

More information on the data fields can be found on the SPDX specification page.

Enhanced vulnerability information

The SPDX 3.0 SBOM format has been enhanced with improved vulnerability information. Your reports now include clear vulnerability identifiers (using CVE or BDSA IDs), detailed scoring information through various CVSS assessment relationships, and explicit status indicators that show whether vulnerabilities are affected, fixed, not affected, or under investigation. These enhancements enable you to provide stakeholders with comprehensive security insights while ensuring the reports remain structured and easy to interpret.

What's included in your SBOM reports

Your SBOM reports now automatically filter vulnerabilities to show the most relevant information:

  • Vulnerabilities marked as "Duplicate," "Ignored," or "New" are not included in the reports
  • Only after changing a vulnerability's status from "New" to another status will it appear in your SBOM reports

Your SPDX 3 reports include:

  • Vulnerability identifiers (CVE or BDSA)
  • Detailed scoring information
  • Clear status indicators showing if vulnerabilities are affected, fixed, not affected, or under investigation

Vulnerability Class

Black Duck now includes the Vulnerability class in SPDX 3 reports with the following identifiers:

  • CVE ID: Used when available
  • BDSA ID: Used as an alternative when no CVE ID exists

This allows for clear identification of each vulnerability according to industry standards.

CVSS Assessment Relationships

To provide detailed scoring information, the following relationships have been added:

  • CvssV2VulnAssessmentRelationship: Contains CVSS v2 scoring information
  • CvssV3VulnAssessmentRelationship: Contains CVSS v3 scoring information
  • CvssV4VulnAssessmentRelationship: Contains CVSS v4 scoring information

These relationships include the complete CVSS vector strings and scores, similar to the ratings section in CycloneDX.

Vulnerability Remediation Representation

SPDX 3 reports now include specific relationships to represent the remediation status of vulnerabilities:

  • VexAffectedVulnAssessmentRelationship: Used for vulnerabilities with a "known affected" status, indicating the vulnerability is present and affects the component
  • VexFixedVulnAssessmentRelationship: Used for vulnerabilities with a "fixed" status, indicating the vulnerability has been remediated
  • VexNotAffectedVulnAssessmentRelationship: Used for vulnerabilities with a "known not affected" status, indicating the vulnerability does not affect the component
  • VexUnderInvestigationVulnAssessmentRelationship: Used for vulnerabilities with an "under investigation" status, indicating the impact is still being assessed
Note: Unlike CycloneDX, SPDX 3 reports do not include CWE (Common Weakness Enumeration) information due to limitations in the current SPDX 3 specification.

These enhancements align with the SPDX 3.0.1 specification and provide you with more detailed information about vulnerabilities, their severity, and remediation status.