The Linux Foundation Projects
Skip to main content
All Posts By

Shane Coughlan

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source. Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.

Case Study: Using the OpenChain Telco SBOM Guide in ByteDance

By News

This case study is split into the following parts:

  • About Our Author
  • Choosing the OpenChain Telco SBOM Guide
  • Structure Of This Case Study
  • Definitions / Specifications
  • Schema Considerations
  • Tooling for Implementation
  • A Practical Example
  • Conclusion and Future Work

About Our Author:

David (Dongwei) Liu is a Research and Development (R&D) Engineer in ByteDance with a focus on Open Source and Software Supply Chain Security and Compliance. His personal interests include 3D Printing Technology (including the making 3D Printing Machines). He can be found on GitHub at https://github.com/ammend

Mental Model Applied To This Case Study:

This is a case study explaining how to use the OpenChain Telco SBOM Guide to improve the quality of SBOMs in deployment. It is approached from the perspective of real-world use inside a company, and contains some technical descriptions to help with automation. The workflow described can be visualized in the following image:

Definitions / Specifications:

It is important to start with definitions around the topic of SBOMs. Having formal definitions, identifying types, and so on allows us to establish specifications for developing a solution.

Defining SBOM:

This case study is focused on Software Bill of Materials (SBOM). In this case study, we define an SBOM as a formal record that lists all the components, libraries, and subsystems that are included in a given software product or system. It provides transparency about what is “inside” a product and allows others to better understand its composition. Well-known SBOM formats include SPDX and CycloneDX.

SBOM Type:

We found there are two different kinds of SBOM type. One is primary SBOM type, which means the SBOM is used for describing product purpose. Another is generative type, which means the generating period of the SBOM of the product.

Primary SBOM in SPDX:

Primary SBOM in CycloneDX:

Generative SBOMs according to CISA:

We record both of these types in our database.

SBOM Core Elements:

SPDX:

NTIA SBOM:

Choosing the OpenChain Telco SBOM Guide:

The OpenChain Telco SBOM Guide was developed for a considerable period through the OpenChain Telco Work Group before reaching 1.0 status in 2024. A few factors came into play when selecting the OpenChain Telco SBOM Guide version 1.0 as the basis of our work:

Perhaps most importantly, the structure of the OpenChain Telco SBOM Guide means there is no need for repeated SBOM information supplements from other participants in the supply chain.

Schema Considerations:

Requirement Levels:

We used IETF RFC 2119 as the basis of our definitions. The key words defined are “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL”.

A schema is a technology validator to verify output data in these terms. The influence of the data field can be shown below.

  • Field existence. This means there may be a field in target data.
  • Field mandatory. This means there must be a field in target data

OpenChain Telco SBOM Guide JSON Schema:

The JSON Schema Result:

Generating Process:

This works in progress. The process of generating JSON schema of the Guide from scratch can be shown below.

Why is there a schema fixing stage for SPDX?

We discovered that the official JSON schema implementations in SPDX GitHub were not consistent with the official SPDX specifications. We submitted Pull Requests to the official SPDX GitHub project that have been adopted as a fix for the 2.3.1 milestone. See https://github.com/spdx/spdx-spec/pull/1020 and https://github.com/spdx/spdx-spec/pull/1021.

In a situation where such bugs exist, doing a fix is both an effective method of implementing a solution, and providing a case study to address a broken feature or add functionality.

In our case, we focused on arranging the order of fields in implementation according to the order of fields in official specifications to make things more human-readable. In the original JSON schema implementation of SPDX the orders of fields was inconsistent.

Differences between the OpenChain Telco SBOM Guide 1.0 and SPDX 2.3:

The differences we identified between Open Chain Telco SBOM Guide and SPDX 2.3 are:

  • For the OpenChain Telco SBOM Guide, the field comment in field createInfo is declared as mandatory;
  • The field copyrightText, licenseConcluded, licenseDeclared, supplier, versionInfo in field packages are declared as mandatory;
  • It adds descriptions into some fields json schema;
  • And it has a revised $id and title.

This is illustrated below:

Plain Text
internal $ python3 json_schema_compare.py -f ../openchain-telco-sbom-guide-1.0-schema.json spdx-v2.3-fix-schema.jso
n
{
    "field_mandatory_comparison": {
        "more_fields": [
            "doc(object)->creationInfo(object)->comment",
            "doc(object)->packages(array)->packages_item(object)->copyrightText",
            "doc(object)->packages(array)->packages_item(object)->licenseConcluded",
            "doc(object)->packages(array)->packages_item(object)->licenseDeclared",
            "doc(object)->packages(array)->packages_item(object)->supplier",
            "doc(object)->packages(array)->packages_item(object)->versionInfo"
        ]
    },
    "field_existence_comparison": {}
}

Tooling for Implementation:

Introduction:

An SBOM tool enables automatic generation of SBOM records. Specifically, they tend to:

  • Scan local files to generate basic SBOM information like hash, version, package dependencies and relationships
  • Then cross-check with trusted external component license and security sources.
  • With a focus on package license info and package security info

Many opensource tools do the first job, such as syft and cycloneDX CLI. Some examples can be found at this link: https://spdx.dev/use/tools/open-source-tools/

OpenChain Telco SBOM Guide Tool:

We have extended the Syft tool to support OpenChain Telco SBOM Guide. Syft is a CLI tool and library for generating a Software Bill of Materials from container images and filesystems. Our contribution can be found here: https://github.com/ammend/syft.

To run Syft for the OpenChain Telco SBOM Guide the following command is used:

SQL
./syft scan golang_example -o octsg-json@1.0 --file golang_example.sbom.json

“octsg-json” is abbreviation of OpenChain Telco SBOM Guide JSON Schema

A Practical Example:

Context:

We develop customized tools in ByteDance to collect dependencies of different kinds of artifacts. Below we will present an example using Golang. All of the example code is maintained at: https://github.com/ammend/openchain-telco-guide-examples

Golang Example:

Our SBOM example was created in a project called golang_example:

Our example used a web framework called gin and provided the analyzed SBOM result as shown below. In the code we only ask to import 1 third-party dependency, yet in total we import 19 dependencies. This is why code review and clear processes are important.

Package level:

File Level:

Relationship Level:

Conclusion and Future Work:

Questions for the future include:

  1. How to build a trusted source or upstream
  2. How to address situations of NOASSERTION when it comes to licenses, as outputs from Syft are not sufficient to cover this use case
  3. How to build a trusted source codebase from commercial or community tools
  4. How to improve the use of SBOM and potentially the scope of their use
  5. How to refine the type of declaration used for external commercial purposes
  6. How to refine governance for internal development
  7. How to create effective upstream contribution workflows

If you want to know more, we can talk to each other via GitHub or through the OpenChain China Work Group WeChat Group.

Note: ByteDance activity extends beyond being a user of the Telco SBOM Guide. David (Dongwei) Liu has also contributed a schema for the Telco SBOM Guide 1.0 which is merged into the official OpenChain Telco Work Group GitHub.

From BOSCH: OpenChain & Friends: Stuttgart Success, Eastern Europe Expansion

By News

On the 7th to 9th of April 2025, OpenChain and The FOSS-LÄND Community collaborated with many industry peers to bring together thought-leaders in open source business management in Stuttgart.

A key collaborator and host in this process was Bosch, and their open source team has just published a blog post recapping the event, lessons learned and more:

One very exciting thing highlighted by Bosch:

Energized by the discussions at the OpenChain & Friends event in Stuttgart, we’re excited to share an initiative brewing in the OpenChain community: Vladimir Slavov from Bosch Digital and Ivo Emanuilov, are establishing an OpenChain regional working group for the eastern part of Europe. With several years of experience navigating the open-source software landscape, both recognized the crucial role eastern Europe plays in the global open-source ecosystem and the increasing importance of secure and compliant software supply chains. This initiative aims to build a vibrant local community dedicated to promoting and driving the adoption of key open-source standards like ISO/IEC 5230 (open-source license compliance) and ISO/IEC 18974 (open-source security assurance). 

This nascent working group is currently gathering momentum and seeking enthusiastic participants. Are you based in Eastern Europe and interested in contributing to a stronger, more secure open-source ecosystem? Connect with Vladimir on LinkedIn to learn more and get involved!

And of course, a big thanks to all our other friends!

OpenChain and Friends: Stuttgart – Follow-Up Webinar Series

By News

On the 7th to 9th of April 2025, OpenChain and The FOSS-LÄND Community collaborated with many industry peers to bring together thought-leaders in open source business management in Stuttgart. Now we are working with our speakers to share some of the knowledge even further!

Starting in May, and continuing into Q3, we will hold a series of special webinars that showcase key talks from the event. These webinars will also provide a new opportunity for attendees to ask questions.

Here are the webinars confirmed so far:

= 1 = 

First Steps With ORT: An EEF Experience –  Kiko Fernández
2025-05-27 @ 10:00 CEST

= 2 =

AboutCode – Practical Compliance in One Stack – Licensing, Vulnerabilities, and More – Philippe Ombredanne 
2025-06-10 @ 09:00 CEST

= 3 =

Establishing trusted and consistent open source management across the supply chain with the OpenChain ISO standards​ – Shane Coughlan 
2025-06-18 @ 17:30 JST (part of the OpenChain Monthly Specification and Education Call (Europe / Asia)

= 4 =

Project OCCTET.eu – the why, what and how – Andreas Kotulla and Martin von Willebrand
2025-07-01 @ 09:00 CEST

= 5 = 

How we are doing compliance at CARIAD with ORT – Helio Chissini de Castro 
2025-07-03 @ 09:00 CEST

And … Special Thanks to All Our Collaborators From Stuttgart!

Famisanar EPS Announces an ISO/IEC 5230 Conformant Program

By Featured, News

Famisanar EPS was formed as a strategic alliance between Cafam and Colsubsidio to contribute to improving the health of Colombians in 1995. They currently have 2,277 collaborators and are present in 139 municipalities of 16 departments. They have a total of 58 Administrative and User Service Offices nationwide.

“The OpenChain Project, and the standards we maintain, are a contribution to the health and trustability of the software supply chain,” says Shane Coughlan, OpenChain General Manager. “We are delighted to see that our work is supporting the medical industry in Colombia, and we hope their activity in this space inspires others. The OpenChain community is always ready to help organizations from any geography, and in any industry, make use of our standards and guides to improve open source process management.”

RECORDING: OpenChain Monthly Specification and Education Call (North America – Europe) – 2025-05-14

By News

We Discussed:

Specification:

Reflections on our lessons learned in making ISO 18974, and our process of drafting proposed updates to the standards, to try and provide a template for other projects looking at making and maintaining standards.

Education:

A review of the updated Reference Library, updated open source policy template and drafting underway for a new OpenChain Adoption Guide + discussion about and call for engagement with updates to our online training.

And…

The Future:

The OpenChain Project has been very busy with various things in recent months. AI Compliance in the supply chain. SBOM Quality (Telco and Cross-Industry). Country meetings (Germany, Korea, Japan), and so on. However, attendance on the main monthly call has been modest. We discussed how to change that, and also how to address the issue of timezones.

The second point was front-of-mind for our Specification Chair, Chris Wood. When drafting a specification, or considering an update to a presentation, the majority of the work tends to be live-editing on calls. However, with the geographic split between North America, Europe and Asia, our retrospective on the ISO/IEC 5230 and ISO/IEC 18974 proposed updates revealed this to be a concern.

Starting next month, we will explore options to boost interest, engagement and attendance with this primary call, and to improve the ability of people from around the world to live edit, rather than needing to catch-up via mailing lists or on GitHub.

The first step will be adjusted scheduling (watch this space) and the second step will be to invite the various work groups and study groups to join the main call, and to provide briefings and Q&A around their work.

Check out the Meeting Slides:

Watch the Recording:

https://www.youtube.com/watch?v=K0ORCvnDRhs

Coming Next:

We will be following up on the activities outlined above on the mailing lists, and we will continue our regular series of calls and meetings throughout the year.

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate

OpenAnolis Announces Adoption of ISO/IEC 5230

By Featured, News

OpenAnolis announced that it has met the OpenChain ISO/IEC 5230 standard. The OpenAnolis community is a non-profit open source community formed by enterprises, institutions, universities, scientific research institutions, non-profit organizations, individuals, etc. on the basis of voluntariness, equality, openness, and collaboration.

The OpenAnolis community has always attached great importance to the construction of security and compliance capabilities. In terms of infrastructure, R&D processes and tools, the community has made comprehensive and in-depth investments, including the construction of software supply chain security infrastructure, support for SBOM lists, and the construction of license compliance systems. These capabilities provide solid security guarantees for the community’s open source activities, ensuring that they are carried out smoothly in a safe and compliant environment.

Ma Tao, Chairman of OpenAnolis, said: “We are pleased to announce the OpenChain ISO/IEC 5230 certification. Open source has always been the source of innovation for the OpenAnolis Community. The OpenAnolis Community will firmly embrace open source, contribute to open source, and contribute to the field of operating systems in the AI ​​era. This certification is a very important milestone in the construction of OpenAnolis’s open source compliance capabilities, and it is also a new starting point. The OpenAnolis Community will continue to invest and improve in the direction of security compliance to ensure the community’s security compliance level.”

Liu Dapeng, head of the OpenAnolis Community Standardization SIG, said that the OpenAnolis Community’s OpenChain ISO/IEC 5230 certification is of great significance to the development of the community. Standards and community open source complement each other, promote and enhance each other, and play an important role in building an open, interoperable, prosperous and innovative technology ecosystem. In the future, the Standardization SIG will continue to work with community ecosystem partners to jointly formulate the engineering standards of the OpenAnolis Community and ensure that community products meet relevant standard requirements.

About OpenAnolis

Founded in September 2020, OpenAnolis is an international open-source community and innovation platform for operating systems. It is committed to building a Linux open-source distribution and open-source innovation technology through open community cooperation. Its goal is to promote the prosperity and development of software, hardware, and application ecology, and jointly create new sources and infrastructure for digital development.

The community council consists of 24 leading enterprises from around the world, including Alibaba Cloud, Uniontech, Loongson, Arm, Intel, and more. Nearly 600 partners have participated in ecological co-construction, achieving full coverage of mainstream chip collaborative research and development mechanisms, mainstream middleware/databases, and mainstream OEM manufacturers. Over 100 products have successfully adopted the OpenAnolis operating system (Anolis OS). Currently, OpenAnolis has served over 800,000 users.

OpenAnolis has established about 60 SIG working groups, with an average monthly contribution of 5,000 PR. It has achieved technological innovation in core areas such as chips, kernel, compiler, security, virtualization, and cloud-native, consistently ranking at the top of the Linux community rankings. The community has released several community versions, including Anolis LoongArch GA, Anolis OS 7.9, 8.4, 8.6, and more.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

龙蜥社区(OpenAnolis)宣布符合OpenChain ISO/IEC 5230 标准

By News

龙蜥社区(OpenAnolis)宣布符合OpenChain ISO/IEC 5230 标准,龙蜥社区是由企事业单位、 高等院校、科研单位、非营利性组织、个人等按照自愿、平等、开放、协作的基础上组成的非营利性开源社区。

龙蜥社区始终高度重视安全合规能力的建设。在基础设施、研发流程和工具等方面,社区进行了全面且深入的投入,包括软件供应链安全基础设施的建设、SBOM清单的支持以及许可证合规体系的构建等。这些能力为社区的开源活动提供了坚实的安全保障,确保其在安全、合规的环境中顺利开展。

龙蜥社区理事长马涛说:“我们很高兴宣布获得 OpenChain ISO/IEC 5230 认证。开源一直是龙蜥社区创新的源泉。龙蜥社区将会坚定地拥抱开源,贡献开源,为 AI 时代的操作系统领域贡献龙蜥力量。这次认证通过是龙蜥在开源合规能力建设上的一个非常重要的里程碑,也是一个新的起点。龙蜥社区会持续在安全合规方向进行投入和提升,保证社区的安全合规水平。”

龙蜥社区标准化 SIG 负责人刘大鹏表示,龙蜥社区获得OpenChain5230认证,对社区的发展具有重要意义,标准和社区开源形成互补,互相促进和增强,共同为构建开放、互通、繁荣、创新的技术生态发挥重要作用。未来标准化 SIG 将继续联合社区生态伙伴共同制定龙蜥社区的工程标准,并确保社区产品符合相关标准要求。

关于OpenAnolis(龙蜥社区):

龙蜥社区成立于 2020 年 9 月,立足云计算打造数字创新基石,聚拢产业生态力量,共创数字化发展开源新基建。汇聚企事业单位、高等院校、科研单位、个人开发者等多元角色,作为面向国际的 Linux 服务器操作系统开源根社区及创新平台,龙蜥社区持续推动软、硬件及应用生态繁荣发展。

请访问https://openanolis.cn/?lang=en了解更多信息

关于OpenChain项目:

OpenChain项目拥有由1000多家公司组成的广泛全球社区,合作使供应链更快、更有效、更高效。它维护开源许可证合规程序的国际标准OpenChain ISO/IEC 5230和开源安全保证程序的行业标准OpenChain ISO/IEC 18974。

关于Linux基金会:

Linux基金会是世界领先的开源软件、硬件、标准和数据协作之家。Linux基金会项目对世界基础设施至关重要,包括Linux、Kubernetes、Node.js、ONAP、PyTorch、RISC-V、SPDX、OpenChain等。Linux基金会专注于利用最佳实践,并满足贡献者、用户和解决方案提供商的需求,为开放协作创建可持续的模式。如需更多信息,请访问linuxfoundation.org

Socionext Announces Recertification of OpenChain ISO/IEC 5230

By Featured, News

Socionext, a semiconductor and System on a Chip (SOC) company based in Japan, has completed recertification of OpenChain ISO/IEC 5230. This is an important part of the 18 month review cycle required by the specification to ensure processes are current.

“ISO standard periodic recertification is a critical building block in creating trust,” says Shane Coughlan, OpenChain General Manager. “As companies evolve and markets change, it is important to use clear, unambiguous processes like those outlined in OpenChain ISO/IEC 5230, the International Standard for open source license compliance. This is key to managing the open source software supply chain, and Socionext has long been a leader in this area.”

About Socionext Inc.

Socionext Inc., a leading global System-on-Chip (SoC) supplier, is a pioneer of the ‘Solution SoC’ business model. This innovative approach encompasses Socionext’s ‘Entire Design’ capabilities and offering of ‘Complete Service’. As a trusted silicon partner, Socionext fuels global innovation, providing superior features, performance, and quality that set its customers’ products and services apart in diverse domains ranging from automotive and data centers to networking, smart devices, and industrial equipment.

Socionext Inc., based in Yokohama, operates offices across Japan, Asia, the United States, and Europe for development and sales. For more information, visit https://www.socionext.com/en/.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

AbacatePay Announces an ISO/IEC 5230 Conformant Program

By Featured, News

AbacatePay is a developer-friendly payment gateway designed to simplify payment processing. Built by developers for developers, it offers:

  • Simple, intention-based API endpoints
  • Idempotent operations for reliable transactions
  • Consistent JSON request/response formats
  • Native SDK support
  • Easy dev mode integration
  • PIX payment support
  • Streamlined client and billing management

Learn More On Their Website:

RECORDING: OpenChain Monthly Specification and Education Call (North America – Europe) – 2025-05-14

By News

We Discussed:

Specification:

Reflections on our lessons learned in making ISO 18974, and our process of drafting proposed updates to the standards, to try and provide a template for other projects looking at making and maintaining standards.

Education:

A review of the updated Reference Library, updated open source policy template and drafting underway for a new OpenChain Adoption Guide + discussion about and call for engagement with updates to our online training.

And…

The Future:

The OpenChain Project has been very busy with various things in recent months. AI Compliance in the supply chain. SBOM Quality (Telco and Cross-Industry). Country meetings (Germany, Korea, Japan), and so on. However, attendance on the main monthly call has been modest. We discussed how to change that, and also how to address the issue of timezones.

The second point was front-of-mind for our Specification Chair, Chris Wood. When drafting a specification, or considering an update to a presentation, the majority of the work tends to be live-editing on calls. However, with the geographic split between North America, Europe and Asia, our retrospective on the ISO/IEC 5230 and ISO/IEC 18974 proposed updates revealed this to be a concern.

Starting next month, we will explore options to boost interest, engagement and attendance with this primary call, and to improve the ability of people from around the world to live edit, rather than needing to catch-up via mailing lists or on GitHub.

The first step will be adjusted scheduling (watch this space) and the second step will be to invite the various work groups and study groups to join the main call, and to provide briefings and Q&A around their work.

Check out the Meeting Slides:

Watch the Recording:

Coming Next:

We will be following up on the activities outlined above on the mailing lists, and we will continue our regular series of calls and meetings throughout the year.

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate