If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs).
Standardizing the format for SBOMs can improve the accuracy and efficiency of managing software license compliance and security vulnerabilities—especially if your software came from a long list of suppliers. This is often the case with software that depends on a commercial library that uses an open source library that in turn includes source material from a different open source project. It’s also becoming the norm for customers to expect their vendors to provide SBOMs, and having a standard in place makes that more efficient for all parties. Further, Executive Order 14028, "Improving the Nation's Cybersecurity,” issued on May 12, 2021, means that the U.S. government will require software suppliers produce SBOMs in a standard format.
Software Package Data Exchange (SPDX) is a standard format for SBOMs (ISO/IEC 5962:2021). Although it has been around for more than 10 years, it has evolved much, perhaps most significantly extending into representing security vulnerabilities. And there is a forthcoming major release that will support several new use cases beyond vulnerability management, such as tracking the build process and data about artificial intelligence models.