Software Package Data Exchange (SPDX) is an open standard (or format) for communicating software Bill of Materials (SBOM) information including components, licenses, copyrights, and security references. Using a standardized format for presenting this information ensures that it is consistent across industries and companies, which helps reduce reformatting efforts, makes it easier to share information, and streamlines compliance activities.
Learn how to identify the weak points in your software supply chain, and what tools and practices are necessary to address them.
Companies adopt SPDX to seamlessly communicate data about the components, licenses, and copyrights associated with their software packages. Giving and receiving information about software “ingredients” is made simple by the use of a standardized and machine-readable format.
Anyone can use it. Currently, its adoption is growing with both open source projects and organizations creating commercial software. With the increased standards around supply chain security resulting from President Biden’s executive order last year, adoption has continued to increase. SPDX is particularly useful for organizations that build software or operate enterprise software.
SPDX includes information that identifies the software package, the package level, and the file level licensing and copyright data. It also shows who created the file, and when and how. This information is critical for security and license compliance activities and requirements. Standard formatting also makes it easier to select standardized tooling, which makes security processes more efficient.
SPDX resolves requirements in EO 14028 pertaining to a software Bill of Materials. It provides a specific file format that identifies the software components within larger pieces of software and the licenses associated with their components.
More generally, SPDX also helps resolve common challenges.
SBOM generators are tools that can identify and inventory all software components within an application and produce them in a report (an SBOM). This report is formatted to comply with NTIA requirements.
Black Duck® is a multifactor open source scanning technology that provides the most complete and accurate view of open source in applications and containers. Our open source detection combines build process monitoring and file system scanning to track all open source in use, including components most solutions miss.
Black Duck is now making it easier for users to secure the software supply chain with an update to its SBOM export utility. The utility exports SPDX 2.2 and ISO standard ISO/IEC 5962:2021, which populates the fields necessary to comply with NIST standards, as referenced in Executive Order 14028.