The build profile includes capturing details of software builds. Specifically, the build profile and its associated definitions help express how software is generated and transformed. This includes encoding the inputs, outputs, procedures/instructions, environments and actors from the build process along with the associated evidence.
The profile is primarily produced by software builders. This includes tools and organizations that operate build services and infrastructure, software compilers and software packagers. The build information can be consumed by security, safety, compliance, quality assurance operators, auditors and executives.
Providing and verifying build provenance of a software ensure that the provided software is what it claims to be
Providing the necessary information to respond to supply chain compromises such as a bad builder or build tool/configuration
Checking if certain build tool (e.g. security compilation flag configuration) is enabled in the creation of the software
Providing the necessary information to verify the reproducibility of a build to create more confidence in the built artifact and the build process.
Provide evidence to assert higher confidence that the specified software components in an SBOM is accurate and complete.
Providing information about all the inputs and processes that are used in the creation of the software so they can be audited and verified for safety standards in critical infrastructure and components.
Applying the build profile will enable the encoding of the necessary information to be able to perform the respective use cases and allow interoperability across tools and ecosystems which understand the SPDX Build Profile.