SWHID in Practice: SBOM Verification, CRA Compliance, and Traceability Use Cases

~ toscalix

This is the fifth article in a series about SWHID, an open standard for identifying software artifacts. The previous articles covered the following topics:

SWHID ensures software artifacts univocal identification, traceability and verifiability across modern software supply chains. In this article, I present real-world use cases showing how SWHID can improve SBOMs, support regulatory compliance such as the Cyber Resilience Act, and enable traceability, across different industries.

Use Case As Results of Preparing a Presentation Series

This final article presents a set of practical use cases that I introduced during a series of talks delivered in March 2026 to three different audiences, which are working on topics related to software supply chains and regulatory compliance, but from different perspectives and with different priorities. The audiences were:

  • Eclipse Open Regulatory Compliance Working Group: A group of experts in standards, IT legislation, certification, and compliance, particularly interested in how SWHID can be applied in the context of the Cyber Resilience Act and similar regulations.
  • OpenChain Telco Working Group: A group of software compliance experts from the telecommunications industry, interested in how SWHID can complement the use of pURL in SPDX documents, particularly in the OpenChain SBOM Telco Guide.
  • OpenChain Automotive Working Group: A group of open source management professionals from the automotive industry, interested in learning the fundamentals of SWHID and exploring its applicability to automotive use cases.

This series of talks represents my second activity as a Software Heritage Ambassador related to SWHID, following the support I provided to Thomas Aynaud, Software Heritage CTO, during his initial series of talks in Q4 2025, and in parallel with the publication of this article series.

Overview of SWHID Use Cases

For each talk, I prepared a set of short SWHID use cases designed to be presented in five to seven minutes each—more as a teaser than an in-depth explanation. The use cases presented across the talks can be grouped into:

  • SWHID adoption and real-world usage
  • Regulatory compliance
  • SBOM improvement and verification
  • Industry-specific applications
    • SBOMs in Telco
    • Traceability in regulated environments (automotive)

Real-World Adoption of SWHID

The first use case addressed a recurring practical question: who is already using SWHID in production? I described two examples:

  • Software Heritage uses SWHID as a fundamental element of its catalogue, which is at the core of the largest software archive ever created. This catalogue is becoming an increasingly relevant foundation for additional services currently under development by SwH.
  • Intel is using SWHID in combination with the Software Heritage archive for open source compliance purposes. I referenced public talks where the plans (by the time) were described, which are included in the slide deck linked at the end of this article.

SWHID for Cyber Resilience Act Compliance

For the regulatory compliance audience, instead of presenting a single concrete use case, I connected several features of SWHID to specific challenges described in the Cyber Resilience Act (CRA). This approach seemed more relevant, as many participants are currently working to interpret what the CRA requires in practice.

In addition, I highlighted three key capabilities enabled by the combination of SWHID and the Software Heritage archive in this context. These also help answer a recurring industry question: why is Software Heritage relevant to my organization?

Enhancing SBOMs with SWHID

This use case focused on how SWHID can improve Software Bills of Materials (SBOMs), with examples in both CycloneDX and SPDX formats. Two key aspects were highlighted:

  • Simplification: SWHID can reduce the amount of explicit information required in an SBOM. Because it is derived directly from the artifact’s content, it can encode information that would otherwise require multiple fields, making SBOMs more concise without losing precision.
  • Verifiability: SWHID enables parties as well as independent verification. An SBOM that includes SWHIDs allows recipients to confirm that the declared software matches the actual content.

Building on the previous two use cases, I developed a scenario specifically relevant to telecommunications companies. This use case explores how SWHID can support SBOM workflows in environments where compliance and verifiability are critical requirements.

With the help of AI, I evolved this use case from a detailed text description into a one-slide infographic, which proved more effective for the audience. The infographic is included in the slide deck, linked at the end of this article.

Enabling Bidirectional Traceability in Automotive Software

The final use case was designed for the automotive audience and focuses on bidirectional traceability. This capability is essential in automotive software development. I had worked on this use case previously. With SWHID, any solution to this use case becomes both more powerful and simpler to implement.

I used ASPICE 4.0 as context, although the use case is generic enough to be applied to other standardization and certification frameworks, both within automotive and in other heavily regulated industries.

Reusable Outputs: Slide Decks and Video

One of the main outcome of this series of talks is a slide deck covering all the use cases described above. It is intended to be reused by Software Heritage Ambassadors, including myself, in future presentations. Some use cases may require additional testing and refinement over time. The slides used in each individual talk were early versions of this final deck. The slide deck can be downloaded from the provided link.

The materials from the three talks, including a recording of one of the sessions, are available at the Resources section of this site, along with links to Zenodo, where you can also download the decks.

Acknowledgements

I would like to thank Shanda Giacomoni and Juan Rico from the Eclipse Foundation, Marc-Etienne Vargenau from Nokia, and Masato Endo from Toyota for the opportunity to speak to their respective communities. The Intel use case would not have been possible without the support of Alexios Zavras from Intel. Thanks to the rest of the swhid.org community members who reviewed the slides and provided feedback.

I will take April to reflect on and discuss what should come next for this effort.

Summary: SWHID Across the Software Supply Chain

This series explored SWHID as a foundational technology for software identification in modern software supply chains. It began by establishing the need for precise, content-based identifiers in a landscape shaped by increasing regulatory pressure and growing complexity in software reuse. The series then examined the structure and governance of SWHID, demonstrating how it enables reliable comparison and long-term traceability of software artifacts, and positioning it alongside complementary standards such as pURL.

Building on these foundations, the final articles focused on practical applications. They showed how SWHID can enhance SBOMs, support regulatory compliance efforts such as those driven by the Cyber Resilience Act, and enable advanced use cases like verifiable supply chains and bidirectional traceability. Across different industries—including telecommunications and automotive—the series highlights SWHID as a key enabler for improving transparency, trust, and automation in software ecosystems.

Article polished using different AI services. CRA image made by Grok.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.