Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Software Identification (SWID) Tagging

Using SWID Tags in the Software Lifecycle

The following is an excerpt from NIST Internal Report (NISTIR) 8060: Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.

The SWID specification defines four types of SWID tags: primary, patch, corpus, and supplemental.

  1. Primary Tag: A SWID Tag that identifies and describes a software product is installed on a computing device.
  2. Patch Tag: A SWID Tag that identifies and describes an installed patch which has made incremental changes to a software product installed on a computing device.
  3. Corpus Tag: A SWID Tag that identifies and describes an installable software product in its pre-installation state. A corpus tag can be used to represent metadata about an installation package or installer for a software product, a software update, or a patch.
  4. Supplemental Tag: A SWID Tag that allows additional information to be associated with a referenced SWID tag. This helps to ensure that SWID Primary and Patch Tags provided by a software provider are not modified by software management tools, while allowing these tools to provide their own software metadata.

Corpus, primary, and patch tags have similar functions in that they describe the existence and/or presence of different types of software (e.g., software installers, software installations, software patches), and, potentially, different states of software products. In contrast, supplemental tags furnish additional information not contained in corpus, primary, or patch tags. All four tag types come into play at various points in the software lifecycle, and support software management processes that depend on the ability to accurately determine where each software product is in its lifecycle.

An illustration of the software deployment, installation, patching, upgrading, and removal lifecycle events as described below.

The figure above illustrates the steps in the software lifecycle and the relationships among those lifecycle events supported by the four types of SWID tags, as follows:

  • Software Deployment. Before the software product is installed (i.e., pre-installation), and while the product is being deployed, a corpus tag provides information about the installation files and distribution media (e.g., CD/DVD, distribution package).
  • Software Installation. A primary tag will be installed with the software product (or subsequently created) to uniquely identify and describe the software product. Supplemental tags are created to augment primary tags with additional site-specific or extended information. While not illustrated in the figure, patch tags may also be installed during software installation to provide information about software fixes deployed along with the base software installation.
  • Software Patching. When a new patch is applied to the software product, a new patch tag is provided, supplying details about the patch and its dependencies. While not illustrated in the figure, a corpus tag can also provide information about the patch installer, and patching dependencies that need to be installed before the patch.
  • Software Upgrading. As a software product is upgraded to a new version, new primary and supplemental tags replace existing tags, enabling timely and accurate tracking of updates to software inventory. While not illustrated in the figure, a corpus tag can also provide information about the upgrade installer, and dependencies that need to be installed before the upgrade.
  • Software Removal. Upon removal of the software product, relevant SWID Tags are removed. This removal event can trigger timely updates to software inventory reflecting the removal of the product and any associated patch or supplemental tags.

Note: While not fully illustrated in the figure, supplemental tags can be associated with any corpus, primary, or patch tag to provide additional metadata about an installer, installed software, or installed patch respectively.

These software lifecycle events represent typical uses of tags within the software deployment lifecycle. While not depicted in the above, software discovery, configuration management, and vulnerability management processes generate other lifecycle events which may create and/or use corpus, primary, patch, and supplemental tags.

More information about how SWID Tags relate to the software lifecycle can be found in NISTIR 8060.

Created February 05, 2018, Updated June 20, 2018