Alas, many of you haven’t heard of Software Package Data Exchange (SPDX). Fortunately, while most of us haven’t been paying attention, the Linux Foundation and businesses such as Intel, Microsoft, and VMware, have been pushing it forward and now SPDX has become an International Standards Organization (ISO) standard: ISO/IEC 5962:2021. It all started back in 2010, when, as Jim Zemlin, then and now the Linux Foundation‘s executive director explained there was a need for a standard way for companies to standardize their license and component information (metadata) in bills of material to ease the discovery and labeling of open-source components in their products.
And, let’s face it, since 90% of modern applications are assembled from open source software components, this is essential. In addition, although SPDX’s SBOM was designed first for open source code and licenses, it lends itself equally well to proprietary or other third-party programs.