FOSS Compliance Vocabulary
5 exercises — Master the English vocabulary of FOSS compliance: SBOMs, GPL distribution obligations, license scanning, attribution notices, and REUSE/OpenChain standards.
0 / 5 completed
1 / 5
A security team requests an SBOM from a vendor before approving a new software purchase. What is an SBOM and why is it relevant to FOSS compliance?
An SBOM is a structured inventory of all software components in a product — analogous to a food ingredients label. For FOSS compliance, it answers: "what licenses are in my product?"
SBOM formats (machine-readable standards):
• SPDX (Software Package Data Exchange) — Linux Foundation standard; ISO/IEC 5962
• CycloneDX — OWASP standard, common in security tooling
• SWID (Software Identification Tags) — ISO/IEC 19770-2, common in enterprise software
What an SBOM contains:
• Package name, version, supplier
• SPDX license identifier(s)
• Copyright notices
• Download location / VCS URL
• Checksum / hash
• Dependency relationships
Regulatory context (why SBOMs matter now):
• US Executive Order 14028 (2021): requires SBOMs for software sold to the US federal government
• EU Cyber Resilience Act: SBOM requirements for products sold in the EU
• Many enterprises now require SBOMs in vendor contracts
Generating SBOMs:
• Tools: Syft, Trivy, SPDX tools, CycloneDX libraries
• Typically generated from lock files (package-lock.json, poetry.lock, go.sum, Cargo.lock)
Key vocabulary:
• SBOM (Software Bill of Materials) — a structured inventory of all software components and their licenses
• Transitive dependencies — packages that your direct dependencies depend on (often where compliance issues hide)
• SPDX license identifier — a standardised short code for a license (e.g., MIT, Apache-2.0, GPL-3.0-or-later)
• License scanning — automated analysis of dependencies to identify licenses and potential compliance issues
SBOM formats (machine-readable standards):
• SPDX (Software Package Data Exchange) — Linux Foundation standard; ISO/IEC 5962
• CycloneDX — OWASP standard, common in security tooling
• SWID (Software Identification Tags) — ISO/IEC 19770-2, common in enterprise software
What an SBOM contains:
• Package name, version, supplier
• SPDX license identifier(s)
• Copyright notices
• Download location / VCS URL
• Checksum / hash
• Dependency relationships
Regulatory context (why SBOMs matter now):
• US Executive Order 14028 (2021): requires SBOMs for software sold to the US federal government
• EU Cyber Resilience Act: SBOM requirements for products sold in the EU
• Many enterprises now require SBOMs in vendor contracts
Generating SBOMs:
• Tools: Syft, Trivy, SPDX tools, CycloneDX libraries
• Typically generated from lock files (package-lock.json, poetry.lock, go.sum, Cargo.lock)
Key vocabulary:
• SBOM (Software Bill of Materials) — a structured inventory of all software components and their licenses
• Transitive dependencies — packages that your direct dependencies depend on (often where compliance issues hide)
• SPDX license identifier — a standardised short code for a license (e.g., MIT, Apache-2.0, GPL-3.0-or-later)
• License scanning — automated analysis of dependencies to identify licenses and potential compliance issues