SBOM & SPDX: Why Suppliers Need Both
In today’s software supply chain landscape, transparency is no longer optional; it is a baseline expectation. If you are a supplier, chances are high that a ...
SBOM Management
Resources
Practical explainers and reference articles for SBOM management, open source governance, license compliance, and vulnerability management.
Latest resources
Ship It Right: A Fun but Serious Guide to Software Distribution Best Practices (with a Little Help from SCA)
Distributing Software: More Crucial Than Cool Distributing software might not be as glamorous as launching the next AI revolution or inventing teleportation—...
SBOM Management
Understanding SPDX: Strengthening Trust in the Software Supply Chain
As modern software systems grow increasingly complex and globally interconnected, understanding the components within these systems is critical for managing ...
SBOM Management
Why Your Code’s Hidden Dependencies Could Be Your Biggest Risk
You know what’s fun? Hidden problems.Especially the ones buried deep inside your transitive dependencies. Here’s the deal:Your app probably uses a handful of...
Vulnerability Management
Corresponding Source Code
The second of two main requirements put upon distributors of open-source code is to provide the corresponding source code of any copyleft-licensed code they ...
License Compliance
Legal Threats and Resolutions
Obviously, you should follow the licenses of open source code included in your projects and products when distributing this code to third parties, for exampl...
License Compliance
License-Compliant Distribution
As you distribute your program to recipients, you have to provide them with the proper legal notices for any open source code included in your distribution. ...
License Compliance
Navigating Open Source License Compliance for SMEs
Introduction Open source software (OSS) offers numerous benefits for small and medium enterprises (SMEs), including cost savings, flexibility, and community ...
License Compliance
Open Source License Compliance
License compliance is the process of complying with (i.e. fulfilling) the obligations posed by licenses upon the users of code with that license. Here, we ar...
License Compliance
The License-Compliant Distribution Workflow
Shipping a product that includes open source code to customers requires compliance with the licenses of the included code. For most products and in most comp...
License Compliance
The Main Types of Open Source Software Licenses
Open source software (OSS) has revolutionized the tech industry, fostering innovation and collaboration. However, with the freedom to use and modify open sou...
License Compliance
The Open Source Legal Notices
Legal notices are notices given by a distributor of an artifact to the recipient of the artifact. The common example is a vendor (distributor) selling a prod...
License Compliance
What is Open Source License Compliance?
Open source license compliance is the practice of being in compliance with all license conditions of all included third-party open source software. Most lice...
License Compliance
Why is Open Source License Compliance Important?
Open source license compliance is a critical aspect of managing software projects that incorporate open source components and giving credit where credit is d...
License Compliance
Contributing to Open Source Projects
The second stage of engaging with open source is typically to contribute to an open source project. Most people and companies start contributing by filing bu...
Open Source Governance
Good Governance Certification
As discussed, open source governance at its core consists of governing The OpenChain project, hosted by the Linux Foundation, is an attempt by industry to sp...
Open Source Governance
Leading Open Source Projects
The third and most advanced stage of engaging with open source is to create and lead open source projects. This often correlates with a taking on a larger ro...
Open Source Governance
Open Source Program Offices
An open source program office (OSPO) is an organizational unit of a company tasked with governing the use of, contribution to, and leadership of open source ...
Open Source Governance
Using Open-Source Software
The first stage of engaging with open source is typically to use the software. As explained, there are two main categories of users, (1) end-users and (2) di...
Open Source Governance
What is Open Source Governance?
In the dynamic world of software development, open source software (OSS) has become a cornerstone. It fuels innovation, accelerates development, and fosters ...
Open Source Governance
Basic SBOM Requirements
A software bill of materials (SBOM) captures which code components are included in a software. There are two original uses: Customers in a supply chain often...
SBOM Management
Software Composition Analysis
Software composition analysis (SCA) is the analysis of your project or product’s source code to identify the component structure of the software, also known ...
SBOM Management
The Dependency Graph
The process of creating a software bill of materials (SBOM) is called software composition analysis (SCA). A software composition analysis first creates the ...
SBOM Management
The Software Bill of Materials
A bill of materials (BOM) is a list of components (“materials”) that make up some artifact. A software bill of materials (SBOM) is a bill of materials where ...
SBOM Management
Types and Uses of SBOMs
The original and still primary use of a software bill of materials (SBOM) is to list what components are included in a software when provided to a customer. ...
SBOM Management
Working with SCA Tools
Software composition analysis is a tool-based process that cannot be fully automated. A SCA tool expects or downloads a hierarchical structure of all relevan...
SBOM Management
When Open Source Goes Wrong: The Broader Implications of Vulnerability Management
Open-source software (OSS) is valued for its innovation, but when vulnerabilities surface, the effects can be widespread. A single flaw can compromise securi...
Vulnerability Management