Meet Sovereign Tech Fellow Jan Kowalleck

I have a background as a professional software engineer and have worked in various areas for over fifteen years. Over the years, I have started and contributed to a number of open source projects, and I’ve never been shy to submit even small improvements.

My journey with OWASP CycloneDX began with a simple bug fix for an implementation I needed for my day job. That first contribution gave me the chance to get to know the project and its codebase, and soon I became a regular contributor, adding new features along the way. The maintainers were very supportive, and I always felt welcomed by the community.

Later, I sketched out a roadmap to make the project more reusable and appealing to new contributors. I proposed this plan to the community, and they encouraged me to pursue it. While I implemented the solutions I had envisioned, the maintainers mentored me, and eventually I became a maintainer of that particular implementation myself.

Over time, I took on more responsibilities, became maintainer of additional implementations, mentored new maintainers, helped the community evolve existing implementations, and supported the CycloneDX Core Working Group with iterations of the BOM (Bill of Materials) standard itself. Eventually, I became a member of the Core Working Group and a Project Co-Lead of OWASP CycloneDX as a whole.

I would not be where I am today without the open and welcoming culture of the CycloneDX community. I try to live up to this spirit by encouraging others to collaborate and contribute.

The CycloneDX specification is a modular and extensible framework designed to represent a broad range of supply chain information. It’s an international standard that comes with implementations for the data exchange formats XML, JSON, and Protocol Buffers, and it addresses transparency and supply chain concerns for software, hardware, and really all kinds of goods and processes. The specification evolves quickly and is driven by the community, with yearly releases that include improvements, fixes, and new features. I collaborate with different communities and domain experts to shape new features, improve documentation, and contribute to the broader standardization process.

Alongside the specification itself, I also work on multipurpose implementations of CycloneDX. These are software libraries in languages like PHP, TypeScript and JavaScript, and Python. Together with the community, I help implement new features, provide utilities, maintain documentation, and ensure general quality and reliability.

Another important part of my work is focused on SBOM generators. SBOM stands for Software Bill of Materials, and generators are the tools that automatically produce SBOMs from existing evidence like project setups, package manifests, and lock files. Accurate and complete SBOMs are critical for proper risk management and for understanding the security posture of a project. I’m working with the community on improving these generators across multiple ecosystems, including PHP with Composer, the entire Node.js space with npm, Yarn, and pnpm, the Python ecosystem with venv, pipenv, poetry, and requirements.txt, as well as tooling like webpack.

I’m working with the community on improving these generators across multiple ecosystems, including PHP with Composer, the entire Node.js space with npm, Yarn, and pnpm, the Python ecosystem with venv, pipenv, poetry, and requirements.txt, as well as tooling like webpack.

In addition to that, I also contribute to related areas of standardization and development, help maintain third-party tools and libraries in these domains, and mentor contributors wherever it’s needed.

The fellowship allows me to continue my important work on critical infrastructure while also covering my living expenses: Over the years I’ve taken on more and more responsibilities in the CycloneDX project. There is always so much happening, the community is constantly exploring new ideas, and the field itself is evolving very quickly. My role is often to help bring these ideas to life and to create space for innovation.

The upcoming release of the international standard CycloneDX is especially exciting, as it will introduce many new features the community is eager to use. Right now, I’m working closely with contributors to get these features specified and standardized. Once that is complete, the next challenge will be to help implement them in different tools and libraries so they can be put into practice.

Alongside this, there is the ongoing community work: keeping documentation, tech stacks, and quality assurance up to date, as well as developing, discussing, and triaging tickets, fixes, and features.

The fellowship gives me the opportunity to dedicate focused time to these efforts, without having to fit everything into evenings or weekends. It allows me to take on larger, more strategic tasks, while also being more present and supportive for the community.

I participate in a number of open-source communities, especially those related to supply chain and transparency, but also in broader software ecosystem projects. The communities I work with are far from homogeneous. People come from different cultural, educational, and professional backgrounds, and everyone has different interests and different amounts of time and resources to contribute. This is typical for volunteer-driven open-source projects.

While the communities are very open to contributions, this diversity can make finding consensus challenging. You can’t make everyone happy, and sometimes a compromise is the least satisfying outcome for all parties. It’s important to make decisions that serve the project and the goal, even if it means disappointing someone. Usually, people understand and remain part of the project even if they don’t get their way. The focus should always be on the project and its objectives, not on individual egos, especially your own.

What I enjoy most is working with people on requirements engineering, understanding the real needs and constraints so we can find solutions that fit, work in practice, and can be improved over time. My advice to others interested in becoming a maintainer is to embrace change. Nothing is ever set in stone in open source, and flexibility is key to success and collaboration.

When I’m not working on open source, I spend a lot of time outdoors. I enjoy hiking and am currently preparing for a multi-day trip, which I’m really looking forward to.

I also like playing video games, especially point-and-click adventure games. I’ve always loved classics like Monkey Island, but I also enjoy modern ones in the same genre.

We’re grateful to Jan for being part of the first cohort of the Sovereign Tech Fellowship and for his continued contributions to the FOSS ecosystem. If you are interested in Jans' work, you can visit the repositories listed below.

• CycloneDX Python library
• CycloneDX SBOM generator for npm
• CycloneDX PHP Composer Plugin