Backed by many of the world’s largest companies for more than a decade, the Software Package Data Exchange (SPDX) specification is now an internationally recognized ISO/IEC JTC 1 standard.
The Linux Foundation announced Thursday that the SPDX specification has been published as ISO/IEC 5962:2021. It is now the open standard for security, license compliance, and other software supply chain artifacts.
This comes during a transformational time for software and supply chain security.
ISO/IEC JTC 1 is an independent, non-governmental standards body based in Geneva. Its membership represents more than 165 national standards bodies. Its experts share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges.
With 90 percent of a modern application assembled from open-source software components, this is a significant win-win for the LF and open source.
Intel, Microsoft, Phillips, Sony, Texas Instruments, Synopsys, and VMware are among global companies using SPDX to communicate Software Bill of Materials (SBOM) information in policies or tools to ensure compliant, secure development across global software supply chains.
“SPDX plays an important role in building more trust and transparency in how software is created, distributed, and consumed throughout supply chains. The transition from a de facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena,” Jim Zemlin, executive director, the Linux Foundation, told LinuxInsider.
Zemlin added that SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.
SBOM Big Deal for Open Source
Software security and trust are critical to our industry’s success, according to Melissa Evans, vice president for Software and Advanced Technology Group and General Manager of Strategy to Execution at Intel.
“Intel has been an early participant in the development of the SPDX specification and utilizes SPDX both internally and externally for a number of software use-cases,” she said.
SPDX evolved organically over the last 10 years through the collaboration of hundreds of companies, including the leading Software Composition Analysis (SCA) vendors. This makes it the most robust, mature, and adopted Software Bill of Materials standard.
Having an SBOM provides a listing of the software components contained in an application, whether the software is open-source, proprietary, or third-party. It details their quality, license, and security attributes.
SBOMs are used as a part of a foundational practice to track and trace components across software supply chains. SBOMs also help to proactively identify software component issues and risks. This, in turn, establishes a starting point for their remediation.
Key Adopters Pushed SPDX Adoption
Microsoft adopted SPDX as its SBOM format of choice for the software it produces, noted Adrian Diglio, principal program manager of software supply chain security at Microsoft.”SPDX makes it easy to produce U.S. Presidential Executive Order-compliant SBOMs, and the direction that SPDX is taking with the design of their next-gen schema will help further improve the security of the software supply chain,” he said.
SPDX is the essential common thread among tools under the Automating Compliance Tooling (ACT) Umbrella, added Rose Judge, ACT TAC chair and open-source engineer at VMware. It enables tools written in different languages and for different software targets to achieve coherence and interoperability around SBOM production and consumption.
“SPDX is not just for compliance, either. The well-defined and ever-evolving spec is also able to represent security and supply chain implications. This is incredibly important for the growing community of SBOM tools as they aim to thoroughly represent the intricacies of modern software,” said Judge.
The SPDX format greatly facilitates the sharing of software component data across the supply chain. Wind River has been providing a Software Bill of Materials to its customers using the SPDX format for the past eight years, observed Mark Gisi, Wind River Open Source Program Office director and OpenChain Specification chair.
“Often customers will request SBOM data in a custom format. Standardizing on SPDX has enabled us to deliver a higher quality SBOM at a lower cost,” he said.
For More Details
To learn more about how companies and open source projects are using SPDX, recordings from the “Building Cybersecurity into Software Supply Chain” Town Hall that was held Aug. 18, 2021 are available and can be viewed here.