The OWASP Foundation collaborated with Ecma International to establish Technical Committee 54 (TC54), a group dedicated to advancing global standards in software and system transparency. This initiative reflects a shared commitment to building a secure and open technology ecosystem where transparency helps to mitigate supply chain risks. Each TC54 specification is designed for seamless integration, ensuring that diverse standards in software transparency, security, and compliance work harmoniously together to deliver a cohesive framework for managing components in the software supply chain.
CycloneDX is a modern standard for the software supply chain. At its core, CycloneDX is a general purpose Bill of Materials (BOM) standard capable of representing software, hardware, services, cryptography, and other types of inventory.
Package-URL (PURL) is a standardized way to identify and locate software packages across various ecosystems and repositories. It provides a consistent URI format that simplifies package tracking across the software supply chain.
The Vers Version Range Specification defines a standard way to express version ranges for software packages. This specification introduces a syntax to describe ranges of versions, allowing for precise and consistent identification of sets of versions across different ecosystems.
The Transparency Exchange API (TEA) aims to facilitate the automated exchange of supply chain artifacts such as Software Bill of Materials (SBOM), Vulnerability Exploitability eXchange (VEX), and attestations, allowing users to automatically discover and consume transparency-related artifacts for a product.
The Common Lifecycle Enumeration (CLE) is an open standard designed to support component aliasing, component lifecycle events such as end-of-life (EOL) and end-of-support (EOS), and provenance chaining over time.