RFC: Adopting SPDX for SBOM generation

Reply: Lexi Winter : "Re: RFC: Adopting SPDX for SBOM generation"
Reply: Tomek CEDRO : "Re: RFC: Adopting SPDX for SBOM generation"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ed Maste <emaste_at_freebsdfoundation.org>
Date: Wed, 06 Aug 2025 02:54:21 UTC

Hello everyone,

The Foundation is developing capabilities for automatically generating
Software Bill of Materials (SBOM) for FreeBSD as part of the work
commissioned by the Sovereign Tech Agency. SBOMs are often used by
organizations to manage their supply chain security and transparency
by providing comprehensive inventory of software components.

To maximize utility for FreeBSD users, we need to choose an SBOM
standard that is broadly supported by security scanners, compliance
tools, and supply chain management systems.

**Proposed Standard: SPDX**

After evaluating available SBOM standards, we recommend adopting SPDX
for the following reasons:
- Wide adoption and momentum: SPDX is the most widely used SBOM standard
- ISO standardization: SPDX version 2.2.1 is published as ISO/IEC 5962:2021
- Mature tooling

**Implementation Plan**

1. Select a version of SPDX
- Version choice: SPDX v2 is stable and widely supported, v3 adds features
- Implementation approach: We can consider starting with SPDX-lite[1]
for a simpler initial deployment.
- Decide which SPDX elements we want to include.

2. Technical Implementation
- Build integration: Create tooling for Makefiles to generate SBOM
data during build process
- License extraction: Use tools like scancode-toolkit to extract
license information, with manual review for accuracy
- Data storage: Determine how SBOM information is stored and published
(in the tree or separated)

3. Proof of Concept
There is work-in-progress using pkgconf as a SBOM generation tool:
- Created FreeBSD-prefixed pkgconf .pc files for some random
components (clang, libc, mkuzip, xz, zlib, zstd). For example source
lib/libc filename is pkgconfig/FreeBSD-libc.pc
- Created meta package pkgconfig/FreeBSD-src.pc which contains
requirements for full source SBOM
- Added REUSE SOFTWARE TOML files for annotations (per file copyright
and licensing)
- Repository available at:
https://github.com/illuusio/freebsd-src/tree/pkgconfig-test/pkgconfig

4. Developer Integration
Establish workflows for FreeBSD developers to maintain SBOM
information in line with SPDX standards.

**Alternative Standards Considered**

We evaluated other standards but found them less suitable:
- OWASP CycloneDX (ECMA-424): Could be a bit easier to implement, it
has less mature tooling and weaker industry momentum compared to SPDX.
- SWID Tags (ISO/IEC 19770-2:2015): Older format with limited adoption
in modern software supply chain contexts.

**Note on Ports Tree Licensing**

The current FreeBSD ports tree is not yet SPDX-compliant. A separate
ongoing effort is focused on transitioning the ports framework toward
SPDX-based license identifiers and metadata normalization. This work
is a prerequisite for generating SBOMs for third-party software in the
ports collection and will align the ports licensing infrastructure
with the goals of SPDX-based SBOM generation.

**Next Steps**

We would appreciate your feedback on:
- The choice of SPDX as the standard
- Preferred SPDX version (v2 vs v3)
- Proof-of-concept implementation approach
- Integration with existing FreeBSD development workflows

Any concerns or suggestions for the proposed approach

Your input will help us refine the implementation before submitting
the necessary changes to the FreeBSD tree. Thanks in advance for your
time and consideration.

Ed Maste

[1] https://spdx.github.io/spdx-spec/v2.3/SPDX-Lite/
[2] https://github.com/OpenChain-Project/Japan-WG-General/tree/master/License-Info-Exchange/SPDX-Lite-sample
[3] https://scancode-toolkit.readthedocs.io/en/stable/