Socket Joins TC54 to Help Shape the Future of SBOMs, CycloneDX, and PURL

We're excited to share that Socket has officially joined TC54! This marks an important step in our commitment to improving software supply chain security, and we’re looking forward to contributing to the evolution of key technologies like Software Bill of Materials (SBOMs), CycloneDX, and Package URLs (PURL).

What is TC54?#

TC54 is a technical committee dedicated to standardizing core data formats, APIs, and algorithms that advance software and system transparency. It oversees key specifications such as PURL, a format for identifying software packages across ecosystems, and is chartered to oversee the OWASP CycloneDX Bill of Materials (SBOM) specification and to develop new standards that enhance transparency and identity across the supply chain.

TC54 was established in December 2023 as a joint initiative between Ecma International and the OWASP Foundation, both of which have long been committed to open industry standards. These organizations have driven a series of advancements in software transparency, beginning with the introduction of CycloneDX v1.0 in 2018.

Over the years, CycloneDX has evolved significantly, incorporating features like component lineage tracking, vulnerability disclosure, AI transparency, and post-quantum cryptographic readiness. In June 2024, CycloneDX v1.6 was ratified as an Ecma international standard and published as ECMA-424.

Why We Joined#

At Socket, we believe in securing the open source ecosystem at its core, and that starts with improving visibility and standardization around software dependencies. By participating in TC54, we have an opportunity to collaborate with industry leaders and help refine these crucial standards to make them more robust, flexible, and developer-friendly.

“As a supply chain security company, it's important for us to be involved in the open source and standards process,” Socket engineer and TC54 contributor John-David Dalton said. “We are part of the community as well as the ecosystem we protect.”

Our Contributions#

While our involvement is just beginning, our team is already actively contributing to TC54’s initiatives:

• Enhancing PURL – Our own John-David Dalton is contributing to packageurl-js, the JavaScript implementation of PURL, making it more developer-friendly and improving support for additional metadata, including Python artifacts and other ecosystem-specific details.
• Shaping CycloneDX – As CycloneDX continues to evolve, we’re excited to help influence its development, ensuring it effectively addresses SBOM generation, resource resolution, reachability analysis, and beyond.
• Advancing SBOMs – SBOMs are becoming a critical component of software supply chain security. We’re looking forward to helping shape their adoption and usability for developers and security teams alike.

Looking Ahead#

Our participation in TC54 is just getting started, but we’re eager to contribute, learn, and collaborate. By working on standards like PURL and CycloneDX, we aim to make software supply chain security more effective and accessible for everyone.

“The future of software security depends on strong, open, community-driven standards,” Socket CEO Feross Aboukhadijeh said. “Through TC54, we're collaborating with industry leaders to build that future and protect developers worldwide."

We’ll be sharing updates as we make progress—stay tuned for more!