SPDX: An Ingredients Label on Steroids

 SPDX: Ingredients Label on Steroids

What's in your software? For many, this is a trick question. In our anonymized study of our On-Demand Audit Services customers, we found that, on average, companies were using 100% more open source than they originally believed. The consequences of such unawareness can be devastating. In that same study, we found an average of 22.5 open source component vulnerabilities in each application. This is in addition to any legal issues that may result from poorly documented use of open source. So how has such dangerous practice become so commonplace? 

we found an average of 22.5 open source component vulnerabilities in each applicationA big part of the problem is the software industry does not effectively communicate the ingredients of its products. While in many industries ingredients labels or Bills of Materials are the norm, the tech sector has yet to broadly adopt the practice of communicating and demanding to know the full contents of its wares.

In an effort to make this communication possible, the Linux Foundation has proposed and advanced Sofware Package Data Exchange (SPDX) - an openmodular, and readily consumable data format for documenting the software supply chain. At Black Duck, we've been involved with the SPDX working group since its inception. I want to share why I believe more developers and companies will join FujitsuIntelQualcomm and many others in bringing SPDX into their development and release process.


SPDX is built on the World Wide Web Consortium's Resource Description Framework (RDF) standard. First published as a W3C recommendation in 1999, RDF enjoys broad support and tooling availability in virtually every language and platform in use today. Don't worry, you don't need to master the RDF spec to leverage the power of SPDX. There are plenty of tools, open-source and commercial (including Protex), that allow you to leverage it quickly and effectively.


While SPDX allows you to document your entire software supply chain, it doesn't require you to do that. In fact, if a component in your supply chain already has SPDX documentation elsewhere, you can reference that external SPDX documentation directly.


By humans

For easy readability, cross-platform, open-source tools can be used to convert SPDX into a human-friendly tag-value format, an HTML report, or a spreadsheet — for a bird's eye view of your software component supply chain.

By machines

Because SPDX is based on RDF, it can be queried with SPARQL - the standard query language for linked data. Want to see all the components or files in your supply chain that are licensed under the GPL? Maybe just the ones that are under GPL and statically linked to your package? Easy. All information that can be included into SPDX can be queried from SPDX, in a standard, cross-platform way using open-source tools.

Learn more!

This coming Thursday, October 6, I'll be doing a presentation on the workings and features of SPDX at LinuxCon Europe in Berlin. I hope to see you there.

The State of Open Source Security

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


.NET Component Vulnerability Analysis in Production

| May 9, 2017

  At Black Duck, we’ve been excited to participate in the flurry of growth in the .NET ecosystem. Our Visual Studio Extension helps developers detect open source risks early, when it is easiest and most cost-effective to eliminate them. However, in some cases, a Visual Studio project or any build

| MORE >

How to Get Developers to Adopt Your Product

| Apr 20, 2017

This post was originally published on the Red Hat Developers blog. Recently, I participated in a focus group where developers were asked to discuss how they make technology adoption decisions. Even “the big guys” seem unsure of how to get developers to notice and adopt their products. So, in this

| MORE >

Tackling Visibility in Microservices

| Feb 23, 2017

Are modern enterprise software architectures doomed to produce suboptimal processes and outcomes? Today, enterprise architects value componentization perhaps more than ever before, given the mass glorification of microservices. Microservices are loosely defined as isolated, independent components

| MORE >