Software Bills of Materials (SBOM)

An idea reaching maturity through standards


While other domains like construction, mechanical engineering, or even computer hardware have long used the concept of Bill of Materials (BOMs), software traditionally has not followed this best practice. There have been efforts running for over a decade to address this, and recent developments have pushed forward the use and wide adoption of Software BOMs.

ISO/IEC 5962:2021 is the Software Package Data Exchange (SPDX) specification that defines a standard way of communicating information about software components. It includes, but is not limited to, metadata such as name and version but also licensing or security information.

In this talk, we will present the concepts of SBOMs, explain the real-world requirements met in areas like security and compliance, and describe the basic elements defined in SPDX