SPDX: An Ingredients Label on Steroids

 SPDX: Ingredients Label on Steroids

What's in your software? For many, this is a trick question. In our anonymized study of our On-Demand Audit Services customers, we found that, on average, companies were using 100% more open source than they originally believed. The consequences of such unawareness can be devastating. In that same study, we found an average of 22.5 open source component vulnerabilities in each application. This is in addition to any legal issues that may result from poorly documented use of open source. So how has such dangerous practice become so commonplace? 

we found an average of 22.5 open source component vulnerabilities in each applicationA big part of the problem is the software industry does not effectively communicate the ingredients of its products. While in many industries ingredients labels or Bills of Materials are the norm, the tech sector has yet to broadly adopt the practice of communicating and demanding to know the full contents of its wares.

In an effort to make this communication possible, the Linux Foundation has proposed and advanced Sofware Package Data Exchange (SPDX) - an openmodular, and readily consumable data format for documenting the software supply chain. At Black Duck, we've been involved with the SPDX working group since its inception. I want to share why I believe more developers and companies will join FujitsuIntelQualcomm and many others in bringing SPDX into their development and release process.


SPDX is built on the World Wide Web Consortium's Resource Description Framework (RDF) standard. First published as a W3C recommendation in 1999, RDF enjoys broad support and tooling availability in virtually every language and platform in use today. Don't worry, you don't need to master the RDF spec to leverage the power of SPDX. There are plenty of tools, open-source and commercial (including Protex), that allow you to leverage it quickly and effectively.


While SPDX allows you to document your entire software supply chain, it doesn't require you to do that. In fact, if a component in your supply chain already has SPDX documentation elsewhere, you can reference that external SPDX documentation directly.


By humans

For easy readability, cross-platform, open-source tools can be used to convert SPDX into a human-friendly tag-value format, an HTML report, or a spreadsheet — for a bird's eye view of your software component supply chain.

By machines

Because SPDX is based on RDF, it can be queried with SPARQL - the standard query language for linked data. Want to see all the components or files in your supply chain that are licensed under the GPL? Maybe just the ones that are under GPL and statically linked to your package? Easy. All information that can be included into SPDX can be queried from SPDX, in a standard, cross-platform way using open-source tools.

Learn more!

This coming Thursday, October 6, I'll be doing a presentation on the workings and features of SPDX at LinuxCon Europe in Berlin. I hope to see you there.

The State of Open Source Security

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Power(Shell) to the People

| Feb 14, 2018

Type less, write cleaner scripts, run consistently across platforms, and other reasons why Linux and OS X users can fall in love with PowerShell. Earlier this year, PowerShell Core became generally available under an Open Source ( MIT) license. PowerShell is hardly a new technology. From its

| MORE >

#Nugate and the Reality of (Commercial) Open Source

| Aug 8, 2017

Note: this post is the opinion of its author and may not represent the views of Black Duck Software, its shareholders, and other employees. There was a small scandal in a small corner of the open source world last week (#nugate). A pull request was submitted to the Nuget Gallery project to add

| MORE >

Why People and Businesses Get Blindsided by Threats

| Jul 24, 2017

When Black Duck released the results of its 2017 Open Source Security and Risk Analysis, the results were deeply concerning. Among the audited applications, 96% utilized open source, of which 67% contained known vulnerabilities. On average, the identified vulnerabilities had been known for four

| MORE >