The Linux Foundation, Joint Development Foundation, and the SPDX community, today announced the Software Package Data Exchange (SPDX) specification has been published as ISO/IEC 5962:2021 and recognized as the international open standard for security, license compliance, and other software supply chain artifacts.
This standard is likely to address both President Biden’s Cybersecurity Executive Order and recent Big Tech meetings, as well as the EU, Asia/Pac and Middle East & Africa requirements for tracking open source software components. It is also the second Linux Foundation standard to achieve this international designation, OpenChain being the first one.
Between eighty and ninety percent (80%-90%) of a modern application is assembled from open source software components. A Software Bill of Materials (SBOM) accounts for the software components contained in an application — open source, proprietary, or third-party — and details their provenance, license, and security attributes. SBOMs are used as a part of a foundational practice to track and trace components across software supply chains.
SBOMs also help to proactively identify software issues and risks, and establish a starting point for their remediation.
Intel, Microsoft, Siemens, Sony, Synopsys, VMware and WindRiver are just a small sample of the companies already using SPDX to communicate SBOM information in policies or tools to ensure compliant, secure development across global software supply chains.