Two Options To Manage Software BOM and To Use SPDX Format with OpenBOM

Oleg Shilovitsky
Oleg Shilovitsky
30 September, 2021 | 4 min for reading
Two Options To Manage Software BOM and To Use SPDX Format with OpenBOM

The importance of software BOM has grown tremendously over the last several years. Each product today contains mechanical, electrical, electronics and software components. The last one cannot be ignored anymore and must be managed in some ways. 

In my earlier blog, 3 Reasons Manufacturing Companies Should Start Managing SBOM in 2021, I outlined the basic reasons why software BOM is as important as mechanical BOM was two decades ago.

Product Development and Software Complexity

You can imagine the level of complexity companies go through to ensure all pieces of the components including software are aligned. In my earlier article, I wrote about the importance of Multidisciplinary BOM and how OpenBOM enables engineers to work with multiple environments in a much more efficient way.  

In the same blog, I mentioned OpenBOM’s flexible data model as a key enabler to manage structures that contain multiple item elements – mechanical items, electrical components, and software items. A key difference of OpenBOM’s technology is its ability to provide a completely flexible data model managing reference-instance data model for multi-disciplinary BOM. 

The foundation of the model is a distributed catalogs’ system capable of managing multiple sets of item definitions – mechanical, electrical, software. In addition to that, OpenBOM’s product structure model allows its user to combine a diverse set of BOM records with full flexibility of data model on both item and instance level. Last but not least, OpenBOM’s patented collaboration technology allows team members, contractors, and suppliers to work together to provide each their own piece of the whole BOM. 

Today, I want to touch on two possible ways you can manage software BOM in OpenBOM. My attention was caught by a Venture Bit article – SPDX is now the official data standard for software bill of materials. The article speaks about SPDX format, which was used for quite some time in software development. However, now it is gaining even bigger popularity and demand. 

The announcement comes at a notable time in the software security sphere. With countless organizations reeling from targeted software supply chain attacks — such as the attack on SolarWinds — including government agencies, hospitals, and mega-corporations, U.S. President Biden in May issued an executive order outlining key steps to improving the nation’s cybersecurity. Securing open source software used within federal information systems was a part of this order, including:

… maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.

Transparency is the name of the game here. And to achieve this end, the order specified that all ICT companies working with federal government agencies should provide an SBOM for each item used in the software stack.

Here is a quick link to documentation explaining more – Using SPDX. The article speaks about how to start using SPDX. Once you get aligned with how to create and manage SPDX packages, you can find it easy to be integrated with a bigger picture of the product structure managed by OpenBOM. 

OpenBOM Reference Link  

This is the easiest way to integrate SPDX packages in OpenBOM. To do so, you can create appropriate OpenBOM properties. Use Reference type to create a property that can hold a link to the SPDX package, which can be loaded in OpenBOM storage. By doing so, you can refer from an item identifying a software package in a multi-disciplinary BOM and SPDX package which describes everything about the software BOM. 

This approach is “quick and dirty”, but it gives you an easy way to ensure your SPDX files and software BOM is under control, connected to the right items in the overall multi-disciplinary product structure and you can track revisions of these files. 

Fully Exploded SPDX Package Import to OpenBOM 

A more complex, but also more comprehensive way to manage software BOM is to import the SPDX package to OpenBOM and turn it into a fully functional structure. Once it is done, every component line coming from SPDX format will become an item in OpenBOM, which you will be able to manage separately.

The following simple example of the SPDX package can be turned into an OpenBOM structure and explored by a single component. 

content

├── build

│ └── hello

└── src

    ├── Makefile

    └── hello.go

At this point, we don’t provide an out-of-the-box importer, from SPDX file to OpenBOM, but we are learning about this opportunity. If you’re interested in exploring it together, please contact us.

Conclusion 

Product development is getting more complex and it is obvious that manufacturing companies are looking for a better way to reduce the risk of missing SBOM management. To stay out of trouble, manufacturers must figure out how to manage software BOM and how to integrate it with a broader process of the product development lifecycle. OpenBOM gives an easy way to start this journey and integrate a multi-disciplinary product structure with Software BOM elements. 

Check out how OpenBOM can help – REGISTER FOR FREE and start your 14-day trial of all OpenBOM features. 

Best, Oleg

Related Posts

Also on OpenBOM

4 6
11 October, 2024

It is not uncommon to hear that BOM (bill of materials) is a list of parts, raw materials, and components…

9 October, 2024

At OpenBOM, we are dedicated to continuously improving the OpenBOM Platform to provide the best possible solutions for managing product…

8 October, 2024

OpenBOM is excited to announce a major update to our Onshape integration, delivering new features designed to enhance your workflow….

8 October, 2024

The digital revolution is reshaping industries worldwide, and manufacturing is no exception. Here are a few interesting data points that…

4 October, 2024

The ability to purchase parts quickly and accurately is crucial for keeping production on track. However, many companies still rely…

4 October, 2024

Managing maintenance and tracking data for products already sold to customers has become a vital function for many manufacturing companies…

2 October, 2024

We are thrilled to bring you a detailed update on the latest enhancements to OpenBOM for Onshape! Over the years,…

1 October, 2024

The last decade, particularly the years following COVID-19, has shown us the potential of digital transformation. We live in a…

27 September, 2024

Modern manufacturing is about speed and agility. The key to success lies in automating manual processes and fostering collaboration between…

To the top