SEPIA - Streamlining SBOM exchange for a secure software supply chain
In today's interconnected world, software is rarely built from scratch. It's assembled from a multitude of components, both proprietary and open-source. This creates a complex software supply chain requiring transparency to ensure security and compliance. Software Bills of Materials (SBOMs) are the key to this transparency, but their effective use has been hampered by a lack of standardization in how they are exchanged and validated.
This is where SEPIA (SBOM Exchange Procedures, Interfaces, and Architecture) comes in. SEPIA is an open-source project initiated by Bosch within the OpenChain SBOM Workgroup to create a framework that enables the efficient and reliable exchange of SBOMs. The project provides tools, processes, and a framework for validating SBOMs, ensuring that the data they contain is valid based on pre-defined SBOM schemas.
The Challenge: From Flexible Standards to Reliable Practice
Leading SBOM specifications like SPDX and CycloneDX are designed to be flexible, but this flexibility can lead to inconsistencies when SBOMs are exchanged between different parties. These inconsistencies in interpretation can result in misunderstandings and a loss of critical data, undermining the very purpose of an SBOM.
Bosch encountered this challenge firsthand when establishing a reliable data flow for the exchange of clearing results. This process requires the seamless exchange of details that allow legal and cybersecurity assessments . To address this, the Center of Competence Open Source at Bosch developed a precise semantic definition for all necessary data fields, specifying what data is mandatory, what it means, and where it needs to be located within the SBOM. This ensures a lossless conversion between different SBOM formats and a consistently transparent software supply chain.
The Solution: The SEPIA Validator Tool
A key component of the SEPIA project is the SEPIA validator tool. This tool is designed to validate SBOMs against a defined schema, ensuring that they meet the required standards for a variety of use cases, including:
- Validation of product-specific SBOMs
- Verification of supplier-provided SBOMs
- Standardization of multi-source SBOM integration
Beyond validation, the SEPIA validator tool provides a comprehensive set of features to manage the entire lifecycle of an SBOM:
| Feature | Description |
|---|---|
|
Feature
Schema Validation Support
|
Description
Includes support for CycloneDX 1.4, SPDX 2.3, and custom schemas.
|
|
Feature
SBOM Management Functions
|
Description
Capabilities to edit metadata, insert fields, and merge multiple SBOMs.
|
|
Feature
Comprehensive Audit Trail
|
Description
A detailed changelog that tracks all operations performed on an SBOM.
|
This integrated approach provides a robust foundation for effective SBOM management, ensuring data integrity and compliance throughout the software supply chain.
Open-Source for a Stronger Community
The SEPIA project is a testament to the power of open-source in solving industry-wide challenges. By sharing the tool and the schema, Bosch aims to foster a community of collaboration where knowledge is shared, and best practices are developed together. We believe that this open approach is the most effective way to improve efficiency and avoid reinventing the wheel when it comes to SBOM strategy.
We invite you to join us in this effort. You can find the project on GitHub and contribute to building a more secure and transparent software supply chain for everyone.
Additionally the SEPIA topic has been part of several conferences and communities in the past like the Bitkom 2024, the OSS EU Summit 2025, or the OpenChain Automotive Work Group Workshop 2025.
Nikolai Wiens, Open Source Officer, Bosch Connected Industry (BCI)
Nikolai Wiens has experience as a software developer in various industries and holds a degree in computer science. Since 2018, he has served as Open Source Officer, promoting InnerSource activities at BCI and throughout the Bosch Group.
Hans Malte Kern, Chief Expert Open Source, Bosch Corporate, Bosch OSPO
Hans Malte Kern began his career as a research engineer in Corporate Research, focusing on process improvement and open-source technologies. A pivotal figure in Bosch's open-source journey, he initiated BIOS (Bosch Internal Open Source) and, in 2012, took on the role of Head of the Center of Competence for Open Source. In this capacity, he is responsible for corporate open-source governance and compliance. As the corporate topic owner for open-source, Hans is a leading voice for open-source within Bosch.
Rakesh Prabhakaran, Senior Expert Open Source, Bosch Global Software Technologies, Bosch OSPO
Rakesh has a degree in Information Technology and has worked in software development and DevOps roles. In his current position he supports Bosch OSPO on the technical topics related to open-source compliance. He also leads the SEPIA project development and acts as a maintainer of the SEPIA repository in the OpenChain Project. He is a tech enthusiast and has a keen interest towards experimenting Gen AI and Agentic AI in daily activities.
