Two Options To Manage Software BOM and To Use SPDX Format with OpenBOM

Oleg Shilovitsky
Oleg Shilovitsky
30 September, 2021 | 4 min for reading
Two Options To Manage Software BOM and To Use SPDX Format with OpenBOM

The importance of software BOM has grown tremendously over the last several years. Each product today contains mechanical, electrical, electronics and software components. The last one cannot be ignored anymore and must be managed in some ways. 

In my earlier blog, 3 Reasons Manufacturing Companies Should Start Managing SBOM in 2021, I outlined the basic reasons why software BOM is as important as mechanical BOM was two decades ago.

Product Development and Software Complexity

You can imagine the level of complexity companies go through to ensure all pieces of the components including software are aligned. In my earlier article, I wrote about the importance of Multidisciplinary BOM and how OpenBOM enables engineers to work with multiple environments in a much more efficient way.  

In the same blog, I mentioned OpenBOM’s flexible data model as a key enabler to manage structures that contain multiple item elements – mechanical items, electrical components, and software items. A key difference of OpenBOM’s technology is its ability to provide a completely flexible data model managing reference-instance data model for multi-disciplinary BOM. 

The foundation of the model is a distributed catalogs’ system capable of managing multiple sets of item definitions – mechanical, electrical, software. In addition to that, OpenBOM’s product structure model allows its user to combine a diverse set of BOM records with full flexibility of data model on both item and instance level. Last but not least, OpenBOM’s patented collaboration technology allows team members, contractors, and suppliers to work together to provide each their own piece of the whole BOM. 

Today, I want to touch on two possible ways you can manage software BOM in OpenBOM. My attention was caught by a Venture Bit article – SPDX is now the official data standard for software bill of materials. The article speaks about SPDX format, which was used for quite some time in software development. However, now it is gaining even bigger popularity and demand. 

The announcement comes at a notable time in the software security sphere. With countless organizations reeling from targeted software supply chain attacks — such as the attack on SolarWinds — including government agencies, hospitals, and mega-corporations, U.S. President Biden in May issued an executive order outlining key steps to improving the nation’s cybersecurity. Securing open source software used within federal information systems was a part of this order, including:

… maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.

Transparency is the name of the game here. And to achieve this end, the order specified that all ICT companies working with federal government agencies should provide an SBOM for each item used in the software stack.

Here is a quick link to documentation explaining more – Using SPDX. The article speaks about how to start using SPDX. Once you get aligned with how to create and manage SPDX packages, you can find it easy to be integrated with a bigger picture of the product structure managed by OpenBOM. 

OpenBOM Reference Link  

This is the easiest way to integrate SPDX packages in OpenBOM. To do so, you can create appropriate OpenBOM properties. Use Reference type to create a property that can hold a link to the SPDX package, which can be loaded in OpenBOM storage. By doing so, you can refer from an item identifying a software package in a multi-disciplinary BOM and SPDX package which describes everything about the software BOM. 

This approach is “quick and dirty”, but it gives you an easy way to ensure your SPDX files and software BOM is under control, connected to the right items in the overall multi-disciplinary product structure and you can track revisions of these files. 

Fully Exploded SPDX Package Import to OpenBOM 

A more complex, but also more comprehensive way to manage software BOM is to import the SPDX package to OpenBOM and turn it into a fully functional structure. Once it is done, every component line coming from SPDX format will become an item in OpenBOM, which you will be able to manage separately.

The following simple example of the SPDX package can be turned into an OpenBOM structure and explored by a single component. 

content

├── build

│ └── hello

└── src

    ├── Makefile

    └── hello.go

At this point, we don’t provide an out-of-the-box importer, from SPDX file to OpenBOM, but we are learning about this opportunity. If you’re interested in exploring it together, please contact us.

Conclusion 

Product development is getting more complex and it is obvious that manufacturing companies are looking for a better way to reduce the risk of missing SBOM management. To stay out of trouble, manufacturers must figure out how to manage software BOM and how to integrate it with a broader process of the product development lifecycle. OpenBOM gives an easy way to start this journey and integrate a multi-disciplinary product structure with Software BOM elements. 

Check out how OpenBOM can help – REGISTER FOR FREE and start your 14-day trial of all OpenBOM features. 

Best, Oleg

Related Posts

Also on OpenBOM

4 6
16 July, 2024

Welcome to the OpenBOM What’s New July 2024 release! I hope you’re having a fantastic summer. It’s scorching here in…

15 July, 2024

OpenBOM is excited to announce significant enhancements for our customers with the introduction of the ability to manage xBOM (BOM…

12 July, 2024

Non-recurring engineering (NRE) costs are critical, one-time expenses incurred during the design, development, and testing of a new product before…

12 July, 2024

In the world of cloud-based PLM solutions, “multi-tenancy” is a frequently mentioned term. It’s often presented, especially by major PLM…

10 July, 2024

Talking to many companies, it’s not unusual to hear a familiar refrain: “We don’t have time to solve data management….

9 July, 2024

Product Data Management (PDM) has been around for a long time, but its core functionality has remained largely unchanged. Initially…

5 July, 2024

It is July 4th in the US—a time to relax, reflect, and think about the future. Today, I want to…

4 July, 2024

In the fast-paced world of electronics design, managing content and integrating it with existing data is critical for efficiency and…

3 July, 2024

In today’s highly competitive market, seamless communication and data sharing between departments are crucial for success. One of the common…

To the top