The importance of software BOM has grown tremendously over the last several years. Each product today contains mechanical, electrical, electronics and software components. The last one cannot be ignored anymore and must be managed in some ways.
In my earlier blog, 3 Reasons Manufacturing Companies Should Start Managing SBOM in 2021, I outlined the basic reasons why software BOM is as important as mechanical BOM was two decades ago.
Product Development and Software Complexity
You can imagine the level of complexity companies go through to ensure all pieces of the components including software are aligned. In my earlier article, I wrote about the importance of Multidisciplinary BOM and how OpenBOM enables engineers to work with multiple environments in a much more efficient way.
In the same blog, I mentioned OpenBOM’s flexible data model as a key enabler to manage structures that contain multiple item elements – mechanical items, electrical components, and software items. A key difference of OpenBOM’s technology is its ability to provide a completely flexible data model managing reference-instance data model for multi-disciplinary BOM.
The foundation of the model is a distributed catalogs’ system capable of managing multiple sets of item definitions – mechanical, electrical, software. In addition to that, OpenBOM’s product structure model allows its user to combine a diverse set of BOM records with full flexibility of data model on both item and instance level. Last but not least, OpenBOM’s patented collaboration technology allows team members, contractors, and suppliers to work together to provide each their own piece of the whole BOM.
Today, I want to touch on two possible ways you can manage software BOM in OpenBOM. My attention was caught by a Venture Bit article – SPDX is now the official data standard for software bill of materials. The article speaks about SPDX format, which was used for quite some time in software development. However, now it is gaining even bigger popularity and demand.
The announcement comes at a notable time in the software security sphere. With countless organizations reeling from targeted software supply chain attacks — such as the attack on SolarWinds — including government agencies, hospitals, and mega-corporations, U.S. President Biden in May issued an executive order outlining key steps to improving the nation’s cybersecurity. Securing open source software used within federal information systems was a part of this order, including:
… maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis.
Transparency is the name of the game here. And to achieve this end, the order specified that all ICT companies working with federal government agencies should provide an SBOM for each item used in the software stack.
Here is a quick link to documentation explaining more – Using SPDX. The article speaks about how to start using SPDX. Once you get aligned with how to create and manage SPDX packages, you can find it easy to be integrated with a bigger picture of the product structure managed by OpenBOM.
OpenBOM Reference Link
This is the easiest way to integrate SPDX packages in OpenBOM. To do so, you can create appropriate OpenBOM properties. Use Reference type to create a property that can hold a link to the SPDX package, which can be loaded in OpenBOM storage. By doing so, you can refer from an item identifying a software package in a multi-disciplinary BOM and SPDX package which describes everything about the software BOM.
This approach is “quick and dirty”, but it gives you an easy way to ensure your SPDX files and software BOM is under control, connected to the right items in the overall multi-disciplinary product structure and you can track revisions of these files.
Fully Exploded SPDX Package Import to OpenBOM
A more complex, but also more comprehensive way to manage software BOM is to import the SPDX package to OpenBOM and turn it into a fully functional structure. Once it is done, every component line coming from SPDX format will become an item in OpenBOM, which you will be able to manage separately.
The following simple example of the SPDX package can be turned into an OpenBOM structure and explored by a single component.
content
├── build
│ └── hello
└── src
├── Makefile
└── hello.go
At this point, we don’t provide an out-of-the-box importer, from SPDX file to OpenBOM, but we are learning about this opportunity. If you’re interested in exploring it together, please contact us.
Conclusion
Product development is getting more complex and it is obvious that manufacturing companies are looking for a better way to reduce the risk of missing SBOM management. To stay out of trouble, manufacturers must figure out how to manage software BOM and how to integrate it with a broader process of the product development lifecycle. OpenBOM gives an easy way to start this journey and integrate a multi-disciplinary product structure with Software BOM elements.
Check out how OpenBOM can help – REGISTER FOR FREE and start your 14-day trial of all OpenBOM features.
Best, Oleg
Join our newsletter to receive a weekly portion of news, articles, and tips about OpenBOM and our community.