SPDX Software Supply Chain Spec Becomes an ISO Standard

Alas, many of you haven’t heard of Software Package Data Exchange (SPDX). That’s a pity because SPDX is what’s going to save us from the misery of software supply chain attacks such as Solarwinds. Fortunately, while most of us haven’t been paying attention, the Linux Foundation and businesses such as Intel, Microsoft, and VMware, have been pushing it forward and now SPDX has become an International Standards Organization (ISO) standard: ISO/IEC 5962:2021.
It all started back in 2010, when, as Jim Zemlin, then and now the Linux Foundation‘s executive director explained there was a need for a standard way for companies to standardize their license and component information (metadata) in bills of material to ease the discovery and labeling of open-source components in their products.
Then, the concern was mainly about creating a vendor-neutral, non-commercial compliance program for open source licensing. While that’s still important, SPDX has also become the open standard for securing the Software Bill of Materials (SBOM) information in policies or tools to ensure compliant, secure development across global software supply chains.
“SPDX plays an important role in building more trust and transparency in how software is created, distributed, and consumed throughout supply chains. The transition from a de facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena,” said Zemlin in a statement last week. “SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.”
And boy do we need this. That’s especially true of open source software. And, let’s face it, since 90% of modern applications are assembled from open source software components, this is essential. In addition, although SPDX’s SBOM was designed first for open source code and licenses, it lends itself equally well to proprietary or other third-party programs.
Armed with universal SBOMs we can track and trace components across software supply chains. This lets us much more easily identify software component issues and risks. It also gives us a starting point for remedying their licensing or security problems.
Software Composition Analysis (SCA) vendors have recognized this and have been adopting SPDX. SCA tools perform automated application codebase scans to identify their open source components, their license compliance data, and security vulnerabilities.
As Gartner pointed out recently in Technology Insight for Software Composition Analysis, “Organizations should mitigate risk by hardening their software supply chains. This includes an examination of both internally and externally sourced code (and supporting scripts, configuration files, and other artifacts) and the creation of an internal repository of trusted components. It also includes governing the use of external repositories.”
Therefore, Gartner predicted, “By 2024, the provision of a detailed, regularly updated software bill of materials by software vendors will be a non-negotiable requirement for at least half of enterprise software buyers, up from less than 5% in 2019.” I think it will be sooner. SPDX makes it possible and SolarWinds underlined in red just how important it is for us to know what’s what in our software supply chains.
Besides, as Oliver Fendt, Siemens’s senior manager of open source, pointed out, “It’s natural that SPDX [has become the] standard, as it’s been the de facto standard for a decade. This will make license compliance in the supply chain much easier, especially because several open source tools like FOSSology, ORT, scancode, and sw360 already support SPDX.”
Besides helping developers secure their code, SPDX makes good dollars and cents business sense. As Mark Gisi, Wind River Open Source Program Office Director and OpenChain Specification Chair, observed, “Standardizing on SPDX has enabled us to deliver a higher quality SBOM at a lower cost.”
If you want to benefit from SPDX too it’s high time for you to adopt it with your own code and testing. You’ll be glad you did.