SBOMs and SPDX: Now and in the Future

If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs). Standardizing the format for SBOMs can improve the accuracy and efficiency for managing software license compliance and security vulnerabilities – especially if your software is the result of a long list of suppliers (e.g., a commercial product which depends on a commercial library which uses an open-source library which includes source from a different open-source project). With the May 12, 2021 U.S. Presidential Executive Order on Improving the Nations Cyber Security, several software suppliers are being required to produce their SBOMs in a standard format. SPDX is a standard format for SBOMs. Although it has been around for more than 10 years, it has gone through some significant evolution such representing data on security vulnerabilities. There is a forthcoming major release which supports several new use cases such as tracking the build process and tracking data about artificial intelligence models. In this talk, we will start with how you can use the widely adopted SPDX 2.3 spec to represent security vulnerability and license compliance data and then go into some of the new features of the SPDX 3.0 specification. We will touch on what goes into making a quality SBOM. At the conclusion of the talk, you will have a better understanding how you can make use of SPDX whether you are producing software or evaluating software you use (or plan to use).