The Linux Foundation has announced that the Software Package Data Exchange (SPDX) has become an international standard, published as ISO/IEC 5962:2021, and recognized as the open standard for software supply chain artifacts including license compliance and security.
The executive director of the non-profit organization, Jim Zemlin stated:
SPDX plays an important role in building more trust and transparency in how software is created, distributed and consumed throughout supply chains. The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena. SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.
For secure and compliant development throughout global software supply chains, VMware, Synopsys, Texas Instruments, Sony, Philips, Microsoft, and Intel are among the companies employing SPDX to relay Software Bill of Materials (SBOM) information in tools or policies. SBOMs are employed as a segment of a fundamental system to track and trace components across software supply chains. They are also used to aid in identifying software component problems and risks, and determining a starting point for remediation.
Vice President - Software and Advanced Technology Group, General Manager of Strategy to Execution, Intel, Melissa Evers commented:
Software security and trust are critical to our Industry’s success. Intel has been an early participant in the development of the SPDX specification and utilizes SPDX both internally and externally for a number of software use-cases.
SPDX is anticipated to address U.S. President Biden's Cybersecurity Executive Order along with the EU, Asia/Pac, and Middle East & Africa requirements for tracking open source software components.