SPDX 3.0 Revolutionizes Software Management in Systems with Enhanced Functionality and Streamlined Use Cases
The Linux Foundation | 16 April 2024
Version 3.0 marks a significant advancement in the world's most widely used Software Bill of Materials (SBOM) communication format.
SEATTLE, Washington – APRIL 16, 2024 – The SPDX community, in collaboration with the Linux Foundation, is thrilled to announce the release of SPDX 3.0. This milestone marks a significant advancement in the world's most widely used Software Bill of Materials (SBOM) communication format. SPDX 3.0 introduces a comprehensive set of updates, encompassing the model, specification, and license list, with the new addition of SPDX profiles to handle modern system use cases.
SPDX, published as a freely available ISO/IEC 5962:2021 standard, ensures that its governance adheres to the stringent quality requirements set by ISO. Version 3.0 of SPDX brings a complete overhaul of its core assets and will be submitted to ISO as an update. The model, spec, license list, and low-level tools have been upgraded to meet the evolving demands of the software industry. One of the most important features of SPDX 3.0 is the introduction of profiles, which serve as gateways, facilitating easy use of SPDX for specific use cases.
SPDX profiles offer a subset of information tailored for the most popular use cases, including security, software build attestation, precise licensing, AI model training and characterization, data set provenance, and more. This new addition improves the way SPDX is utilized, ensuring that it remains versatile and adaptable across a wide spectrum of system scenarios. Organizations leveraging SPDX will experience enhanced software package management, improved compliance with licensing obligations, streamlined security practices, and optimized software build processes. The profiles within SPDX 3.0 provide ready-to-use templates, empowering developers, security engineers, data scientists and legal professionals to leverage SPDX effortlessly for their specific use cases.
The development process of SPDX 3.0 has been community-driven, involving key industry experts, organizations, and open-source enthusiasts. The result is a convenient, user-centric SBOM format that caters to the diverse needs of the software ecosystem. By embracing SPDX 3.0, enterprises can confidently navigate the complex landscape of software supply chain management, ensuring transparency, security, and compliance throughout the development lifecycle. The standardized approach of SPDX empowers organizations to mitigate risks, build trust, and demonstrate their commitment to industry best practices.
SPDX continues to drive the future of software package management with SPDX 3.0. To learn more about SPDX and its new features, including how to get involved and participate in the community, please visit the official SPDX website.
Supporting Quotes
“Sharing information with our partners in a trusted and efficient way is a top priority for Arm, and standardizing the communication of SBOMs will build even greater trust across the technology ecosystem. The use of SPDX has already enabled us to transfer information more easily and through the SPDX community, we have been able to propose standard modifications to meet our evolving needs.” – Matthew Crawford, Director of IP Compliance, Arm
“SPDX 3.0 is an exciting day for everyone who cares about software supply chain security, and I think everyone should care about software supply chain security. Because of SPDX 3.0, software producers and consumers (again, everyone!) can now benefit from a linked data format for SBOMs, which means better modeling of software components and licensing information. It's worth mentioning that Chainguard's hardened container images currently ship with SPDX SBOMs. Now it's only a matter of time until we ship SPDX 3.0 SBOMs .”
– John Speed Meyers, Head of Chainguard Labs, Chainguard
“EPAM has seen SPDX used by several of our clients in the automotive and telecom industries. Our engineering teams use the OSS Review Toolkit (ORT) to check best practices, licensing, and the security of their projects as well as to generate SPDX SBOMs. We also help our clients with their open source process and SBOM automation. We have been contributing to SPDX 3.0 community to enable more use cases and enable better management of open source licensing and security, at scale and speed. We hope to be able to bring SPDX 3.0 to ORT so anyone can easily generate accurate SBOM for their software projects and their dependencies”
– Frank Viernau, Open Source Program Office, EPAM Systems, Inc.
“Huawei is committed to promote open collaboration in software supply chain security and SPDX is an important standard for SBOM in the open source community. In addition to composition identification in software code, we have also seen increasing interest to address open data provenance in this domain. Huawei has contributed a dozen of AIBOM standard proposals to the SPDX community and collaborated with various industrial stakeholders to promote these standards across dozens of telecommunications enterprises. In addition, we have leveraged SPDX in the MindSpore large-scale model experience platform, called XiHe, enabling compliance throughout datasets supply chain and facilitating the release of compliant datasets by partners in the computation ecosystem. Furthermore, we have developed open tooling covering License Assessment, License Recommendation and Dataset Review Assistant, to help the industry efficiently manage risks and improve collaboration. By advancing the SPDX standard, Huawei is contributing to the broader adoption and development of open source software.”
– King Gao, SPDX Huawei's Representative
“Software is critical infrastructure and therefore it is essential to secure the software supply chain. Intel embraces open international standards that help provide transparency and disclosure of security information, complying with emergent regulation. The release of SPDX version 3 is an important milestone, as its modular design allows for the recording of multiple facets of information on software components, including security and licensing. In support of the Open Ecosystem, Intel has and will continue to participate in the development of the SPDX specification and we look forward to proliferation of Software Bill of Materials (SBOMs) to enhance the understanding of our software products and distributions.”
– Melissa Evers, Vice President, Software and Advanced Technology Group, General Manager of Strategy to Execution, Intel Corporation.
“As the largest global software development platform, we believe that everyone should be able to use open source safely. We added SPDX exports to GitHub’s dependency graph to make it easy for developers to meet regulatory requirements, and we've seen enthusiastic adoption from the community in response. Increasing the transparency in the software supply chain is an important foundation to building a more secure world.”
– Justin Hutchings, Senior Director, Product Management, GitHub
“For over a decade Google's had an internal focus on dependency management and code provenance. Adoption of SPDX positions us to be able to share supply chain and software composition information with key partners including the US Federal Government, as we operationalize the requirements of Executive Order 14028. We're committed to the continued success of SPDX across the SBOM lifecycle including evolution of the standard itself and new open source capabilities for generation and reasoning about SBOMs at scale.”
– Isaac Hepworth. Group Product Manager, Software Supply Chain, Google.
"Microsoft has been a long partner and contributor to the next gen SPDX schema and is eager to leverage the advancements and flexibility that the SPDX 3.0 schema brings through its ability to support different profiles. This allows for expressing Bill of Material information across many different software scenarios."
– Adrian Diglio, Principal PM Manager Secure Software Supply Chain (S3C), Microsoft
"MITRE is gratified to have been a part of the community effort in creating SPDX 3.0. This community revised and refocused SPDX from a software-specific bill of materials (BOMs) to a broader standard for capturing and conveying BOMs for a wide variety of system-level items. The group also changed its operations to adhere to a new governance approach that aligns with standards development governance methods and brings the Object Management Group (OMG) into the review process for the final model and specification. The community now is more impactful in securing BOMs."
– Bob Martin, Senior Principal Engineer, MITRE.
“SPDX has provided an effective, market-ready software bill of materials specification for more than a decade. Since becoming an ISO/IEC standard in 2021, SPDX has continued to support industry growth through good management, and continues to be an open standard developed by an open community. With the launch of the next generation of this specification - SPDX 3.0 - the approach has evolved to encompass more use-cases in response to the market itself evolving. The value of a living standard cannot be overstated, and the potential for SPDX to enable better trust, recording-keeping and accountability in the supply chain has grown in parallel with real-world needs."
– Shane Coughlan, OpenChain General Manager.
“The SPDX 3.0 is a very significant advance in Bills of Materials for systems adding support for AI, Data, Security and Build Systems. Through significant collaboration amongst dozens of organizations and individuals, the latest release significantly improves the flexibility and scalability for producers and consumers of SBOMs.” – Gary O’Neall, CEO Source Auditor Inc.
"SPDX provides a focal point allowing the wider community to clarify, standardize and improve code license management, meeting existing and future legislative requirements around licensing, security and SBOMs. The Yocto Project welcomes and embraces the new SPDX 3.0 standard as it builds upon previous versions and brings new advances. We look forward to delivering these to our developers, helping them meet their license and security needs."
– Richard Purdie, Yocto Project Architect, Linux Foundation Fellow
###
About the Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.