OpenSSF Brings SBOM and SDPX to Python

The Open Source Security Foundation's (OpenSSF) SBOM Everywhere plan goes live with funding for an SDPX Python library.

Sep 14th, 2022 11:23am by Steven J. Vaughan-Nichols

Featued image for: OpenSSF Brings SBOM and SDPX to Python

Dublin, Ireland — At Open Source Summit Europe, the Open Source Security Foundation (OpenSSF) announced that it had the funding needed to implement SBOM Everywhere, its plan to bring software bill of materials (SBOM) to all programming languages and frameworks, into Python.

The goal is to improve the resiliency and security of all open source software. Its first steps towards SBOM success came with funding work on the Software Package Data Exchange (SPDX) Python library. Work on the project started on September 1st.

SBOMs, SPDX and Python

SPDX is the ISO standard for describing SBOMs. While Python already had an SPDX library, it’s fallen out of date because of a lack of support. As I think we all know, most developers don’t like to work on security.

Josh Bressers, Anchore VP of Security and Kate Stewart SPDX Tech Lead, explained, “The SPDX python library needed updating to bring it in line with more modern versions of SPDX and turning the code into something that is easier to maintain to make community contributions less difficult. What the SPDX python library didn’t have was volunteers with the right skills or funding to get the work done. However, the OpenSSF did have funding that could accomplish this.”

Once that’s done, it will be much easier to create SBOMs for any Python program. And this, in turn, will make it much easier to secure from your code’s start of your development pipeline all the way to production. I like this plan.

OpenSSF Control

Just because the OpenSSF is paying for the code improvement doesn’t mean it will control the SPDX Python library. That’s not what this is about. The Python Software Foundation and Founder/President Guido van Rossum will still call the shots. The OpenSSF leadership is doing this because the work of securing all open source software, “is much bigger than just the OpenSSF and will benefit the entire open source community.”

Brian Behlendorf, the OpenSSF General Manager, said at the Summit that more languages would soon be getting the support they needed to add SBOMs as integral parts of their management development pipelines. It can’t come soon enough.

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting-edge PC operating system, 300bps was a fast internet connection, WordStar was the state-of-the-art word processor, and we liked it.