SPDX 3.1 is transforming from a flat bill of material scheme to a knowledge graph” that now covers hardware, supply-chain security and safety tests, and the 130+ crypto algorithms that are used on your data. The AI/Dataset profile added three must-have lines for every smart assistant—AI Agent, Prompt, and RAG so you can see exactly how your AI system (Basiic AI, GenAI and Agentic AI) was created
SPDX has also added a SPDX crypto lalgorithm list which is similar to the methodology and process that was used for the SPDX License list. There are over 130 algorithms that have been reviewed by the SPDX Working group
Demonstrate some newly available SPDX SBOM tools that can automate creating SBOM for existing AI system.
In this talk we will:
1. Show the ontology and how a single spdx:Element can simultaneously be:
hw:Chip (Hardware )
da:Requirement (Design-Assurance)
crypto:Algorithm (Cryptology)
sc:TransportEvent (Supply-Chain)
2. Show how to query the knowledge graph to:
“Return every AI model that was trained on dataset x deployed on a hardware y whose root-of-trust implements one of the 130 curated cryptographic algorithms, and that passed a functional-safety test required by CRA.”
3. Show how the new classes in AI/Dataset profile and relationship can document an Agentic AI system
4. Demonstrate how for CRA, ISO 42001, and FDA : where each regulation asks a different question, but all questions can be seen as graph walk(s).