Hewlett Packard Enterprise (HPE) is pleased to have joined The Linux Foundation® Software Package Data Exchange (SPDX)® workgroup as an SPDX Supporter.

HPE has chosen SPDX for its software bills of materials (SBOMs) to communicate an ingredient list for its software products. SBOMs written in SPDX-format are easy to understand … even by a human. The real value in using a standardized format like SPDX, however, will be in the creation of automation tooling to consume and report back on the information contained in SBOMs, especially when matching them up to vulnerability databases. Using SPDX, HPE will be able to adapt its reporting for a variety of initiatives, including US Executive Order #14028 as well as global initiatives aligned with software security and supply chain management. Furthermore, since SPDX has been approved by the International Organization for Standardization (ISO), it will be easier to cross-collaborate with external suppliers who also choose this standard format.

SPDX also helps with a broader issue at the intersection of Open Source Street and Security Avenue. Various public security feeds/databases use different names to describe the same packages/components. By supporting the inclusion of alternative identifiers (e.g., PURL, SWID, etc.), SPDX provides an entry point for teams to correlate the SBOM information they receive from a supplier with a larger number of public security feeds or even cross-correlate with SBOMs created using the other popular SBOM specifications. Finally, HPE supports SPDX’s efforts in reviewing licenses for inclusion. SPDX’s legal group serves an important function in identifying and cataloguing commonly used open source licenses with short identifiers to aid in license identification for open source projects.

HPE is committed to software security, and we want to provide our customers with confidence in our products by using a format that serves both security and license identification initiatives.