Definition
Software Package Data Exchange (SPDX) is an open standard (or format) for communicating software Bill of Materials (SBOM) information including components, licenses, copyrights, and security references. Using a standardized format for presenting this information ensures that it consistent across industries and companies, which helps reduce reformatting efforts, makes it easier to share information, and streamlines compliance activities.
Your Recipe for an Actionable SBOM
Learn how to identify the weak points in your software supply chain, and what tools and practices are necessary to address them.
How does SPDX work?
Companies adopt SPDX to seamlessly communicate data about the components, licenses, and copyrights associated with their software packages. Giving and receiving information about software “ingredients” is made simple by the use of a standardized and machine-readable format.
Who uses SPDX?
Anyone can use it. Currently, its adoption is growing with both open source projects and organizations creating commercial software. With the increased standards around supply chain security resulting from President Biden’s executive order last year, adoption has continued to increase. SPDX is particularly useful for organizations that build software or operate enterprise software.
What are the benefits of using SPDX?
SPDX includes information that identifies the software package, the package level, and the file level licensing and copyright data. It also shows who created the file, and when and how. This information is critical for security and license compliance activities and requirements. Standard formatting also makes it easier to select standardized tooling, which makes security processes more efficient.
Why is SPDX important?
SPDX resolves requirements in EO 14028 pertaining to a software Bill of Materials. It provides a specific file format that identifies the software components within larger pieces of software and the licenses associated with their components.
More generally, SPDX also helps resolve common challenges.
- SPDX addresses the licensing complications that can arise from the use of software and binaries received from suppliers.
- SPDX eliminates the need to create customized SBOMs. With a standardized format, everyone creates consistent documents, so there’s no need to spend time and effort reformatting.
- SPDX removes the need to define and create SBOM formats for both suppliers and consumers of software, freeing up resources and bandwidth.
What is an SBOM generator?
SBOM generators are tools that can identify and inventory all software components within an application and produce them in a report (an SBOM). This report is formatted to comply with NTIA requirements.
How can Synopsys help?
Black Duck® is a multifactor open source scanning technology that provides the most complete and accurate view of open source in applications and containers. Our open source detection combines build process monitoring and file system scanning to track all open source in use, including components most solutions miss.
Black Duck is now making it easier for users to secure the software supply chain with an update to its SBOM export utility. The utility exports SPDX 2.2 and ISO standard ISO/IEC 5962:2021, which populates the fields necessary to comply with NIST standards, as referenced in Executive Order 14028.
Related SBOM content
