In use for a decade as the de facto standard for communicating software bills of materials, SPDX formally becomes the internationally recognized ISO/IEC JTC 1 standard.
The Linux Foundation announced Thursday the Software Package Data Exchange (SPDX) specification has been published as ISO/IEC 5962:2021 and recognized as the open standard for security, license compliance and other software supply chain artifacts.
Software bills of materials are used to communicate information in policies or tools to ensure compliant, secure development across global software supply chains.
“SPDX plays an important role in building more trust and transparency in how software is created, distributed and consumed throughout supply chains,” said Jim Zemlin, executive director, the Linux Foundation, in a press release. “The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena. SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.”
SEE: 5 Linux server distributions you should be using (TechRepublic Premium)
ISO/IEC JTC 1 is an independent, non-governmental international organization based in Geneva, Switzerland.
Because most applications today are assembled using open source software, a SBOM accounts for the software components contained in an application and details their provenance, license and security attributes. This accounting helps organizations track and trace components across the software supply chain so they can identify issues, risks and establish starting points for their remediation if necessary.
The transparency provided by an SBOM is particularly helpful in thwarting cyberattacks, said Kate Stewart, vice president of Dependable Embedded Systems at the Linux Foundation.
“An SBOM makes it easier to summarize the software that is actually running on a system,” she said. “Improving the transparency of the software running on a system, enables automatic detection if there is a vulnerability and cross references to vulnerability databases on an as needed basis.”
SPDX evolved organically over the last 10 years through the collaboration of hundreds of companies, making it the most mature and adopted SBOM standard, the Linux Foundation said.
SEE: Rust: What developers need to know about this programming language (free PDF) (TechRepublic)
The new standard will make supply chain licensing compliance easier, as well, because open source tools like FOSSology, ORT, scancode and sw360 already support SPDX, said Oliver Fendt, senior manager, open source at Siemens, in a statement.
“SPDX is the essential common thread among tools under the automating compliance tooling (ACT) Umbrella. SPDX enables tools written in different languages and for different software targets to achieve coherence and interoperability around SBOM production and consumption. SPDX is not just for compliance, either; the well-defined and ever-evolving spec is also able to represent security and supply chain implications. This is incredibly important for the growing community of SBOM tools as they aim to thoroughly represent the intricacies of modern software,” said Rose Judge, ACT TAC chair and open source engineer at VMware, in a statement.
Information on how to participate in and benefit from SPDX can be found at https://spdx.dev. More information on how companies and open source projects are using SPDX, can be found at https://events.linuxfoundation.org/supply-chain-town-hall/.