top of page
  • Frankie

Demystifying SBOMs: Why SPDX and CycloneDX Aren’t Enough

The software industry has seen a significant shift towards greater transparency and documentation, and a prime example of this trend is the increasing use of Software Bills of Materials (SBOMs). SBOMs serve as critical inventory lists, documenting the various open-source software components used in a particular product or application. However, there's a dangerous misconception permeating throughout the industry: the notion that merely producing an SBOM is enough, without paying due diligence to its contents.

This approach to SBOMs is akin to a company undergoing a tax audit and feeling accomplished for presenting an Excel sheet filled with financial data, without giving any thought to the accuracy or completeness of the spreadsheet's contents.

It is important to remember that, in both cases, the document is only as good as the data it contains. An incomplete or incorrect Excel sheet will not fare well in a tax audit, and an inaccurate SBOM could lead to licensing conflicts, security risks, and potential legal issues.

Just as there are standards for financial data presentation, there are also standard formats for SBOMs, such as SPDX (Software Package Data Exchange) and CycloneDX. However, these are simply formats - the containers in which data is presented. A well-formatted SBOM is worth little if the information within it is not thoroughly checked, verified, and accurate.

This brings us to an important point: Not all BOMs are created equal. An SBOM's reliability is determined by the thoroughness of the software inventory it represents. And here is where many companies fall short. The rapid advancement of programming tools, fuelled by Al-assisted coding, has made the integration of open-source components nearly effortless, often to the point of being involuntary. This ease of use can result in the inadvertent introduction of open-source elements into a codebase without the necessary documentation, leaving SBOMs incomplete or, even worse, misleading.

So, how can this be addressed? The answer lies in integrating a rigorous open-source code scanning process into software development workflows. This process ensures the identification of all open-source code files and snippets, regardless of their size or how deeply they are embedded or integrated.

One of the leading solutions in this arena is SCANOSS, which provides a robust and effective mechanism for detecting all open-source code in your project. It compares your codebase against millions of open-source components to identify any matches, ensuring a complete and accurate SBOM.

To sum up, the creation of an SBOM is not the final accomplishment but rather the first step in the journey towards responsible open-source software management. A truly effective SBOM should accurately reflect the entirety of the open-source code used, and achieving that requires a comprehensive approach that includes the use of tools like SCANOSS.

Only then can we move beyond the illusion of accomplishment and towards the reality of responsible, transparent, and legal use of open-source software.


bottom of page