The build profile includes capturing details of software builds. Specifically, the build profile and its associated definitions help express how software is generated and transformed. This includes encoding the inputs, outputs, procedures/instructions, environments and actors from the build process along with the associated evidence.
Definition
Personas
The profile is primarily produced by software builders. This includes tools and organizations that operate build services and infrastructure, software compilers and software packagers. The build information can be consumed by security, safety, compliance, quality assurance operators, auditors and executives.
Use Cases
Build Provenance
Providing and verifying build provenance of a software ensure that the provided software is what it claims to be
Security
Providing the necessary information to respond to supply chain compromises such as a bad builder or build tool/configuration
Audit
Checking if certain build tool (e.g. security compilation flag configuration) is enabled in the creation of the software
Reproducibility
Providing the necessary information to verify the reproducibility of a build to create more confidence in the built artifact and the build process.
Quality
Provide evidence to assert higher confidence that the specified software components in an SBOM is accurate and complete.
Safety
Providing information about all the inputs and processes that are used in the creation of the software so they can be audited and verified for safety standards in critical infrastructure and components.
Benefits
Applying the build profile will enable the encoding of the necessary information to be able to perform the respective use cases and allow interoperability across tools and ecosystems which understand the SPDX Build Profile.
