While other domains like construction, mechanical engineering, or even computer hardware have long used the concept of Bill of Materials (BOMs), software traditionally has not followed this best practice. There have been efforts running for over a decade to address this, and recent developments have pushed forward the use and wide adoption of Software BOMs.
ISO/IEC 5962:2021 is the Software Package Data Exchange (SPDX) specification that defines a standard way of communicating information about software components. It includes, but is not limited to, metadata such as name and version but also licensing or security information.
In this talk, we will present the concepts of SBOMs, explain the real-world requirements met in areas like security and compliance, and describe the basic elements defined in SPDX
2. Intel Confidential
Department or Event Name 3
SFScon 2022 3
Software is complex
• Nowadays almost always a combination of components
• 80 – 20 rule
3. Intel Confidential
Department or Event Name 5
SFScon 2022 5
Software Bill of Materials (SBOM)
An SBOM is a formal record containing
details and supply chain relationships
of components used in building software.
• Components include libraries and modules
• Components can be open source or proprietary
• Components can be freely available or paid
• Data can be widely available or access-restricted
4. Intel Confidential
Department or Event Name 6
SFScon 2022 6
Who should use an SBOM?
• Any organization concerned about better supporting their software
products internally and better supporting their customers
• Different views
• Produce / Consume (Use / Integrate)
• Commonly required as part of any product’s BOM,
so necessary information is available:
• Contractual – negotiated terms, implementation strategies
• Legal – compliance with licensing and regulatory obligations
• Technical – identification of software or component dependencies
and supply chain risk, vulnerability and asset management
5. Intel Confidential
Department or Event Name 7
SFScon 2022 7
Why have an SBOM?
• Legal compliance
• License obligations, Open Source or not
• Comply with all obligations of all licenses of all components
• Straightforward
• But not trivial or easy
• Export
• Security
6. Intel Confidential
Department or Event Name 8
SFScon 2022 8
Why have an SBOM?
• Legal compliance
• Export
•Security
• NTIA, FDA, NERC, ENISA
7. Intel Confidential
Department or Event Name 11
SFScon 2022 11
Most do not know what software is running
Dependency, by xkcd, CC-BY-NC-2.5
8. Intel Confidential
Department or Event Name 12
SFScon 2022 12
Need for a Bill of Materials
A comprehensive list of software components,
with information on:
• Name zlib gcc
• License Zlib license GPLv3
• Version 1.2.11 11.2
• Origin https://zlib.net https://gcc.gnu.org
• … “not modified”
9. Intel Confidential
Department or Event Name 13
SFScon 2022 13
Contents of a minimum viable SBOM
The Minimum Elements for an SBOM, by US Department of Commerce
14. Intel Confidential
Department or Event Name 19
SFScon 2022 19
Software Package Data Exchange – ISO/IEC 5962:2021
Standards for communicating the component and metadata
information associated with software
• Specification
• License List
Working groups:
• Technical
• Legal
• Outreach
15. Intel Confidential
Department or Event Name 21
SFScon 2022 21
SPDX License List
List of (common) Open Source licenses
• Currently approximately 500 licenses and 45 exceptions
• For each one, a number of data:
• name, short identifier, canonical license text, reference URL,
is OSI approved, is FSF libre, standard header text
Matching guidelines to determine if text matches license text
• Canonical license text is templatized
16. Intel Confidential
Department or Event Name 22
SFScon 2022 22
SPDX License List short identifiers
Authoritative list of names and short identifiers
• MIT, BSD-3-Clause, GPL-2.0-or-later, …
• Expressions
GPL-2.0-only OR BSD-3-Clause
EPL-2.0 OR MPL-2.0
17. Intel Confidential
Department or Event Name 23
SFScon 2022 23
Use of SPDX identifiers in source files
SPDX-License-Identifier: Apache-2.0
• Easy to use, machine-readable
• Just adds one comment line
• Makes it easy to know the license for a file
• Satisfies the DCO requirement for a license reference per file
• Concise standard format
• List of projects using it continuously expanding
• Linux kernel, U-boot, Zephyr, Eclipse projects, Poco, …
18. Intel Confidential
Department or Event Name 24
SFScon 2022 24
SPDX Documents
Collecting all information about a software delivery
• Descriptive
• Detailed Bill of Materials (aka manifest) of the software contents
• Flexible
• Formats for automatic processing (XML, JSON, YAML),
for manual editing (tag:value), and for non-technical (spreadsheet)
• Accurate
• Focus on capturing facts; allow interpretations
22. Intel Confidential
Department or Event Name 28
SFScon 2022 28
In development: SPDX 3.0
• Major undertaking
• Abstracted information to be more widely useful
• Refactored to CORE and PROFILEs
• CORE is minimum needed to describe artifacts and relationships
• PROFILEs for each Area of Interest:
Licensing, Vulnerabilities, Provenance, …
23. Intel Confidential
Department or Event Name 30
SFScon 2022 30
Types of tools
• Produce
• While building
• By analyzing
• Consume
• View
• Analyze
• Compare
• Transform
• Translate
• Merge
24. Intel Confidential
Department or Event Name 31
SFScon 2022 31
Tools overview
• Licensed under:
• Open Source
• Proprietary
• Level:
• Libraries
• Purpose-specific
• Complete applications
• Integrated environments
• List keeps expanding…
26. Intel Confidential
Department or Event Name 33
SFScon 2022 33
Participate!
All information on https://spdx.dev and https://github.com/spdx
Teams
• Technical
• Legal
• Outreach
• Mailing lists
• Meetings
• GitHub
Groups
• AI
• Build
• Data
• Defects
• Functional Safety
• Licensing