SPDX Becomes Internationally Recognized Standard for Software Bill of Materials
PR91575
SAN FRANCISCO, Sept. 10, 2021 /PRNewswire=KYODO JBN/ --
-- Backed by many of the world's largest companies for more than a decade, SPDX
formally becomes internationally recognized ISO/IEC JTC 1 standard during a
transformational time for software and supply chain security
The Linux Foundation, Joint Development Foundation, and the SPDX community,
today announced the Software Package Data Exchange(R) (SPDX(R)) specification
has been published as ISO/IEC 5962:2021 (https://c212.net/c/link/?t=0&l=en&o=3283684-1&h=1120003021&u=https%3A%2F%2Fwww.iso.org%2Fstandard%2F81870.html&a=ISO%2FIEC+5962%3A2021) and recognized as the international open standard for security, license
compliance, and other software supply chain artifacts. ISO/IEC JTC 1 is an
independent, non-governmental standards body.
Logo - https://mma.prnewswire.com/media/455385/The_Linux_Foundation_Logo.jpg
Intel, Microsoft, Siemens, Sony, Synopsys, VMware and WindRiver are just a
small sample of the companies already using SPDX to communicate Software Bill
of Materials (SBOM) information in policies or tools to ensure compliant,
secure development across global software supply chains.
"SPDX plays an important role in building more trust and transparency in how
software is created, distributed and consumed throughout supply chains. The
transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard
positions SPDX for dramatically increased adoption in the global arena," said
Jim Zemlin, executive director, the Linux Foundation. "SPDX is now perfectly
positioned to support international requirements for software security and
integrity across the supply chain."
Between eighty and ninety percent (80%-90%) of a modern application is
assembled from open source software components. An SBOM accounts for the
software components contained in an application — open source, proprietary, or
third-party — and details their provenance, license, and security attributes.
SBOMs are used as a part of a foundational practice to track and trace
components across software supply chains. SBOMs also help to proactively
identify software issues and risks, and establish a starting point for their
remediation.
SPDX is the result of ten years of collaboration from representatives across
industries, including the leading Software Composition Analysis (SCA) vendors -
making it the most robust, mature, and adopted SBOM standard.
"As new use cases have emerged in the software supply chain over the last
decade, the SPDX community has demonstrated its ability to evolve and extend
the standard to meet the latest requirements. This really represents the power
of collaboration on work that benefits all industries," said Kate Stewart, SPDX
tech team co-lead. "SPDX will continue to evolve with open community input and
we invite everyone, including those with new use cases, to participate in
SPDX's evolution and securing the software supply chain."
For more information on how to participate in and benefit from SPDX, please
visit: https://spdx.dev.
To learn more about how companies and open source projects are using SPDX,
recordings from the "Building Cybersecurity into the Software Supply Chain"
Town Hall that was held on August 18th are available, and can be viewed at:
https://events.linuxfoundation.org/supply-chain-town-hall/
ISO/IEC JTC 1 is an independent, non-governmental international organization
based in Geneva, Switzerland. Its membership represents more than 165 national
standards bodies with experts who share knowledge and develop voluntary,
consensus-based, market relevant international standards that support
innovation and provide solutions to global challenges.
Supporting Comments
Intel
"Software security and trust are critical to our Industry's success. Intel has
been an early participant in the development of the SPDX specification and
utilizes SPDX both internally and externally for a number of software
use-cases," said Melissa Evers, Vice President – Software and Advanced
Technology Group, General Manager of Strategy to Execution, Intel.
Microsoft
"Microsoft has adopted SPDX as our SBOM format of choice for software we
produce," says Adrian Diglio, Principal Program Manager of Software Supply
Chain Security at Microsoft. "SPDX SBOMs make it easy to produce U.S.
Presidential Executive Order compliant SBOMs, and the direction that SPDX is
taking with the design of their next gen schema will help further improve the
security of the software supply chain."
Siemens
"With ISO/IEC 5962:2021 we have the first official standard for metadata of
software packages. It's natural that SPDX is that standard, as it's been the de
facto standard for a decade. This will make license compliance in the supply
chain much easier, especially because several open source tools like FOSSology,
ORT, scancode and sw360 already support SPDX," said Oliver Fendt, senior
manager, open source at Siemens.
Sony
"The Sony team uses various approaches to managing open source compliance and
governance," says Hisashi Tamai, Senior Vice President, Deputy President of R&D
Center, Representative of the Software Strategy Committee, Sony Group
Corporation. "An example is the use of an OSS management template sheet that is
based on SPDX Lite, a compact subset of the SPDX standard. It is important for
teams to be able to quickly review the type, version and requirements of
software, and using a clear standard is a key part of this process."
Synopsys
"The Black Duck team from Synopsys has been involved with SPDX since its
inception, and I personally had the pleasure of coordinating the activities of
the project's leadership for more than a decade. Representatives from scores of
companies have contributed to the important work of developing a standard way
of describing and communicating the content of a software package," said Phil
Odence, General Manager, Black Duck Audits.
VMware
"SPDX is the essential common thread among tools under the Automating
Compliance Tooling (ACT) Umbrella. SPDX enables tools written in different
languages and for different software targets to achieve coherence and
interoperability around SBOM production and consumption. SPDX is not just for
compliance, either; the well-defined and ever-evolving spec is also able to
represent security and supply chain implications. This is incredibly important
for the growing community of SBOM tools as they aim to thoroughly represent the
intricacies of modern software," said Rose Judge, ACT TAC Chair and open source
engineer at VMware.
Wind River
"The SPDX format greatly facilitates the sharing of software component data
across the supply chain. Wind River has been providing a Software Bill of
Materials (SBOM) to its customers using the SPDX format for the past 8 years.
Often customers will request SBOM data in a custom format. Standardizing on
SPDX has enabled us to deliver a higher quality SBOM at a lower cost," said
Mark Gisi, Wind River Open Source Program Office Director and OpenChain
Specification Chair.
About SPDX
SPDX is an open standard for communicating software bill of material
information, including provenance, license, security, and other related
information. SPDX reduces redundant work by providing common formats for
organizations and communities to share important data, thereby streamlining and
improving compliance, security, and dependability. For more information, please
visit us at spdx.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list
of trademarks of The Linux Foundation, please see our trademark usage page:
https://www.linuxfoundation.org/trademark-usage. Linux is a registered
trademark of Linus Torvalds.
Media Contact
Jennifer Cloer
for the Linux Foundation
+1-503-867-2304
jennifer@storychangesculture.com
SOURCE: The Linux Foundation
本プレスリリースは発表元が入力した原稿をそのまま掲載しております。また、プレスリリースへのお問い合わせは発表元に直接お願いいたします。
このプレスリリースには、報道機関向けの情報があります。
プレス会員登録を行うと、広報担当者の連絡先や、イベント・記者会見の情報など、報道機関だけに公開する情報が閲覧できるようになります。