What's in your software? For many, this is a trick question. In our anonymized study of our On-Demand Audit Services customers, we found that, on average, companies were using 100% more open source than they originally believed. The consequences of such unawareness can be devastating. In that same study, we found an average of 22.5 open source component vulnerabilities in each application. This is in addition to any legal issues that may result from poorly documented use of open source. So how has such dangerous practice become so commonplace?
A big part of the problem is the software industry does not effectively communicate the ingredients of its products. While in many industries ingredients labels or Bills of Materials are the norm, the tech sector has yet to broadly adopt the practice of communicating and demanding to know the full contents of its wares.
In an effort to make this communication possible, the Linux Foundation has proposed and advanced Sofware Package Data Exchange (SPDX) - an open, modular, and readily consumable data format for documenting the software supply chain. At Black Duck, we've been involved with the SPDX working group since its inception. I want to share why I believe more developers and companies will join Fujitsu, Intel, Qualcomm and many others in bringing SPDX into their development and release process.
SPDX is built on the World Wide Web Consortium's Resource Description Framework (RDF) standard. First published as a W3C recommendation in 1999, RDF enjoys broad support and tooling availability in virtually every language and platform in use today. Don't worry, you don't need to master the RDF spec to leverage the power of SPDX. There are plenty of tools, open-source and commercial (including Protex), that allow you to leverage it quickly and effectively.
While SPDX allows you to document your entire software supply chain, it doesn't require you to do that. In fact, if a component in your supply chain already has SPDX documentation elsewhere, you can reference that external SPDX documentation directly.
For easy readability, cross-platform, open-source tools can be used to convert SPDX into a human-friendly tag-value format, an HTML report, or a spreadsheet — for a bird's eye view of your software component supply chain.
Because SPDX is based on RDF, it can be queried with SPARQL - the standard query language for linked data. Want to see all the components or files in your supply chain that are licensed under the GPL? Maybe just the ones that are under GPL and statically linked to your package? Easy. All information that can be included into SPDX can be queried from SPDX, in a standard, cross-platform way using open-source tools.
This coming Thursday, October 6, I'll be doing a presentation on the workings and features of SPDX at LinuxCon Europe in Berlin. I hope to see you there.