Blog: Software Bill Of Materials Formats

Software Bill Of Materials Formats Prerequisite Different SBOM formats comparison 1 - The Software Package Data Exchange (SPDX) 2 - Software Identification (SWID) Tags 3 - CycloneDX Generate SBOMs manually? definitely not If you don’t understand what is Software Bill of Materials (SBOM), please read this blog post first. The National Telecommunications and Information Administration (NTIA) in the U. S. defined minimum requirements for SBOM formats : Identifying the supplier of the software component. Identifying the details about the version of the component. Including unique identifiers for the component like cryptographic hash functions. Including the relationships between all dependencies inside the component. Including a timestamp of when and by whom the SBOM report was created or last modified In this section, we discuss different kinds and formats for SBOM standards and make a brief comparison between them. Three commonly used standards achieved the NTIA minimum requirements for SBOM generation and each one results in a different final SBOM document. History: SPDX is an open-source machine-readable format adopted by the Linux Foundation as an industry standard. The specifications are implemented as a file format that identifies the software components within a larger piece of computer software and fulfilling the requirements of NTIA. The SPDX project started in 2010 and was initially dedicated to solving the issues around open source licensing compliance.