SPDX becomes a new standard for open source software and security


Backed by many of the world’s leading companies for over a decade, the Software Package Data Exchange (SPDX) specification is now an internationally recognized ISO/IEC JTC 1 standard.

The Linux Foundation announced on Thursday that the SPDX specification has been published as ISO/IEC 5962:2021. It is now the open standard for security, license compliance, and other software supply chain artifacts.

This comes at a time of transformation for software and supply chain security.

ISO/IEC JTC 1 is an independent, non-governmental standards body based in Geneva. Its members represent more than 165 national standards bodies. Its experts share their knowledge and develop voluntary, consensus-based and market-relevant international standards that support innovation and provide solutions to global challenges.

With 90% of a modern application assembled from open source software components, this is a huge advantage for LF and open source.

Intel, Microsoft, Phillips, Sony, Texas Instruments, Synopsisand VMware are among the global companies using SPDX to communicate Software Bill of Materials Information (SBOM) in policies or tools to ensure compliant and secure development in global software supply chains.

“SPDX plays an important role in creating greater trust and transparency in how software is created, distributed and consumed throughout supply chains. The transition from a de facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for significantly increased adoption on the global stage,” Jim Zemlin, executive director of the Linux Foundation, told LinuxInsider.

Zemlin added that SPDX is now perfectly positioned to meet international requirements for software security and integrity throughout the supply chain.

SBOM Big Deal for Open Source

Software security and trust are critical to the success of our industry, according to Melissa Evans, vice president of advanced software and technology group and general manager of strategy to execution at Intel.

“Intel was an early participant in the development of the SPDX specification and uses SPDX both internally and externally for a number of software use cases,” she said.

SPDX has evolved organically over the past 10 years through the collaboration of hundreds of companies, including leading software composition analysis (SCA) vendors. This makes it the most robust, mature, and widely adopted software nomenclature standard.

Having an SBOM provides a list of software components contained in an application, whether the software is open source, proprietary, or third-party. It details their quality, licensing, and security attributes.

SBOMs are used as part of a fundamental practice to track and trace components in software supply chains. SBOMs also help proactively identify software component issues and risks. This, in turn, establishes a starting point for their remediation.

Key Adopters Drive SPDX Adoption

Microsoft has adopted SPDX as the SBOM format of choice for the software it produces, noted Adrian Diglio, senior software supply chain security program manager at Microsoft. takes with their next-generation schema design will help further improve software supply chain security,” he said.

SPDX is the essential common thread between tools under the Automating Compliance Tooling (ACT) umbrella, added Rose Judge, ACT TAC President and Open Source Engineer at VMware. It allows tools written in different languages ​​and for different software targets to achieve consistency and interoperability around SBOM production and consumption.

“SPDX isn’t just for compliance either. The well-defined and ever-evolving specification is also capable of representing security and supply chain implications. This is hugely important to the growing tool community SBOM, as they aim to represent in detail the intricacies of modern software,” Judge said.

The SPDX format greatly facilitates the sharing of software component data throughout the supply chain. Wind River has been providing a software BOM to its customers using the SPDX format for eight years, observed Mark Gisi, director of Wind River’s open source program office and president of OpenChain specifications.

“Often customers request SBOM data in a custom format. Standardizing on SPDX has allowed us to deliver higher quality SBOM at lower cost,” he said.

For more details

To learn more about how companies and open source projects are using SPDX, recordings from the Building Cybersecurity into Software Supply Chain public meeting held on August 18, 2021 are available and can be viewed. here.


Comments are closed.