OpenSSF Brings SBOM and SDPX to Python

Dublin, Ireland — At Open Source Summit Europe, the Open Source Security Foundation (OpenSSF) announced that it had the funding needed to implement SBOM Everywhere, its plan to bring software bill of materials (SBOM) to all programming languages and frameworks, into Python.
The goal is to improve the resiliency and security of all open source software. Its first steps towards SBOM success came with funding work on the Software Package Data Exchange (SPDX) Python library. Work on the project started on September 1st.
SBOMs, SPDX and Python
SPDX is the ISO standard for describing SBOMs. While Python already had an SPDX library, it’s fallen out of date because of a lack of support. As I think we all know, most developers don’t like to work on security.
Josh Bressers, Anchore VP of Security and Kate Stewart SPDX Tech Lead, explained, “The SPDX python library needed updating to bring it in line with more modern versions of SPDX and turning the code into something that is easier to maintain to make community contributions less difficult. What the SPDX python library didn’t have was volunteers with the right skills or funding to get the work done. However, the OpenSSF did have funding that could accomplish this.”
Once that’s done, it will be much easier to create SBOMs for any Python program. And this, in turn, will make it much easier to secure from your code’s start of your development pipeline all the way to production. I like this plan.
OpenSSF Control
Just because the OpenSSF is paying for the code improvement doesn’t mean it will control the SPDX Python library. That’s not what this is about. The Python Software Foundation and Founder/President Guido van Rossum will still call the shots. The OpenSSF leadership is doing this because the work of securing all open source software, “is much bigger than just the OpenSSF and will benefit the entire open source community.”
Brian Behlendorf, the OpenSSF General Manager, said at the Summit that more languages would soon be getting the support they needed to add SBOMs as integral parts of their management development pipelines. It can’t come soon enough.