By Josh Bressers (​​Anchore) and Kate Stewart (SPDX)
A few months ago, the OpenSSF published a mobilization plan which is meant to improve the resiliency and security of open source software. A key component of the plan is using a software bill of materials (SBOM) as a foundational building block to improve the security posture of the entire open source ecosystem known as SBOM Everywhere. SBOM Everywhere, as the name suggests, is working towards bringing SBOMs to all of open source in a way that is non disruptive.
The first effort of the SBOM Everywhere project was to create a plan that enabled the OpenSSF to fund work on the SPDX Python library. We are pleased to announce this plan has been approved and work started on September 1!
Alone we can do so little; together we can do so much.
Helen Keller
SPDX
SPDX is a standard for describing software bill of materials. This is like an ingredients list for your software. The SPDX specification is an international open standard known as ISO/IEC 5962:2021. While SPDX is one of the standards that describes what a SBOM should look like, the SPDX project also houses a number of technical projects such as tools and libraries for creating and parsing the SPDX SBOM data. The project has evolved from community volunteer efforts for the specifications and the tooling, and it’s free for anyone to join and participate. However, volunteers change over time, and mainly work on the parts that are of interest to them, so gaps emerge.
SPDX has a number of libraries that are used by developers to create and parse the SPDX SBOM data. The work on these libraries has been done by community volunteers over a long period of time. It has been known for some time that the SPDX python library needed updating to bring it in line with more modern versions of SPDX and turning the code into something that is easier to maintain to make community contributions less difficult. What the SPDX python library didn’t have was volunteers with the right skills or funding to get the work done. However, the OpenSSF did have funding that could accomplish this.
A Huge Task
The OpenSSF is a foundation that is tasked with securing open source software and improving the security of the open source software we all rely on to power modern civilization. That’s a huge task, it’s no secret that the OpenSSF has to work with the community. Inside of the OpenSSF, there is a tooling working group, and within the tooling working is a group called SBOM Everywhere that has been tasked with making creation and consumption of SBOMs easier for everyone. SBOM Everywhere is part of the The Open Source Software Security Mobilization Plan.
It is very common for a foundation to want to leverage their funding to focus on internal projects the foundation has direct control over and likely holds the intellectual property right of. In this case, the OpenSSF has no control over the SPDX Python library. The OpenSSF leadership is rather forward looking in this regard. The OpenSSF understands this work is much bigger than just the OpenSSF and will benefit the entire open source community.
What’s Next?
The OpenSSF mobilization plan has ten workstreams. There’s a lot of work to do, but this is an early example showing what we can accomplish when we are all willing to work together. There are often grand explanations of the open source community, but the reality is it’s more like millions of smaller groups loosely related to each other. If everyone tries to keep their efforts contained to one small group the outcomes will always be small. If we want big outcomes (which the mobilization plan does), we need big groups and big ideas.
The SBOM Everywhere Special Interest Group (SIG) is just getting started. This is one of the very first efforts from the group. SBOMs are becoming extremely important. We see them popping up in regulations, legislation, standards, and even formal requirements. We understand making SBOMs easy to use and consume won’t be easy, but is extremely important. If SBOMs don’t become easier to create, use, store, and distribute, they’re unlikely to be used industry wide.
Please come and help if you have an interest in securing open source, which is in everything these days. If you create software, you are part of the open source community. The OpenSSF is a diverse community of contributors, there is plenty of work to do, we would love to have you!
Everyone says they take security seriously, but this is one of those cases where actions speak louder than words. The OpenSSF, its member organizations, and volunteers don’t only take security seriously, they are doing the work we all need to meet modern day security challenges. The OpenSSF is fairly new and SBOM everywhere is brand new. It will be incredible to see what sort of new ideas and activities the next years and months will bring. Funding the updates for a python library may not seem like a huge deal in the big picture, but it’s a first step in what will be an amazing, complex, and impactful journey.