SPDX is now official data standard for software bill of materials

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

The Software Packet Data Exchange (SPDX), a file format and open standard used for more than a decade to document all the components in a piece of software, is now an internationally recognized standard for software bill of materials (SBOM).

The announcement comes at a notable time in the software security sphere. With countless organizations reeling from targeted software supply chain attacks such as SolarWinds, including government agencies, hospitals, and mega corporations, U.S. President Biden issued an Executive Order back in May outlining key steps toward improving the nation’s cybersecurity. Securing open source software used within Federal information systems was a part of this Order, including:

…maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.

Transparency is the name of the game here. And to achieve this, the Order outlined that all ICT companies working with Federal Government Agencies should provide a SBOM for each item used in the software stack.

This, essentially, means a full list of all proprietary and open source libraries, modules, and APIs. It also means outlining the relationship across all the components and dependencies. With this in place, it becomes easier to track and trace components used across the software supply chain, and identify inherent vulnerabilities.


Under the auspices of the Linux Foundation, SPDX had already emerged as a de facto SBOM for countless companies, including Microsoft, Intel, Siemens, Sony, Synopsys, VMware, and WindRiver. But it has now been rubberstamped by the International Organization for Standardization (ISO), the global organization that develops technical, industrial, and commercial standards.

This means that SPDX is now an official open standard data format for conveying all the software metadata information throughout the supply chain. It also fits into the broader governmental push toward SBOMs — Biden’s Executive Order specifically name-checked three existing data standards that would fit the bill, including CycloneDX, SWID tags, and SPDX.

“SPDX SBOMs make it easy to produce U.S. Presidential Executive Order compliant SBOMs, and the direction that SPDX is taking with the design of their next gen schema will help further improve the security of the software supply chain,” Adrian Diglio, Microsoft’s principal program manager of software supply chain security, noted in a press release.


  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Source: Read Full Article