SBOM Standards: CycloneDX & SPDX
A Software Bill of Materials (SBOM) is a comprehensive inventory of all components in software. Two standards dominate: CycloneDX and SPDX. Both serve the same purpose but differ in approach and use cases.
Why SBOMs Matter
Supply Chain Visibility: Know exactly what’s in your software—every dependency, version, and license.
Vulnerability Management: When new CVEs are disclosed, SBOMs enable instant identification of affected applications.
Compliance: Regulations like the EU Cyber Resilience Act require machine-readable SBOMs demonstrating supply chain transparency.
SBOMs answer: “What’s actually in my software?” Without this inventory, vulnerability management becomes guesswork.
CycloneDX
CycloneDX is a lightweight standard designed specifically for application security and supply chain component analysis1.
Key Features:
- Security-first design for vulnerability management
- Native VEX integration within SBOM documents
- Rich metadata: licenses, PURL identifiers, component hashes
- Service/API documentation support
- Lightweight: smaller files, faster processing
Format: JSON or XML
Best For: Security teams, vulnerability management, DevSecOps workflows, regulatory compliance requiring vulnerability tracking.
SPDX Coming Soon 🎉
SPDX (Software Package Data Exchange) is a mature standard maintained by the Linux Foundation, originally designed for license compliance2.
Key Features:
- License-focused with extensive tracking capabilities
- Comprehensive file and package metadata
- Broad adoption in embedded systems and automotive
- ISO/IEC 5962:2021 standard recognition
- Standardized license identifiers
Format: JSON, YAML, RDF, tag-value
Best For: License compliance, legal teams, open source governance, automotive industry, embedded systems.
CycloneDX vs SPDX
| Feature | CycloneDX | SPDX |
|---|---|---|
| Primary Focus | Security & vulnerabilities | License compliance |
| VEX Support | Native integration | Limited |
| File Size | Smaller, optimized | Larger, comprehensive |
| Maturity | Newer (2017) | Mature (2010, ISO) |
| Adoption | Growing DevSecOps | Automotive/embedded |
Both standards are valid—choice depends on use case. Security teams prefer CycloneDX; legal/compliance teams prefer SPDX. Some organizations generate both.
DevGuard Support
CycloneDX: DevGuard generates and consumes CycloneDX SBOMs with native VEX integration. Configure in repository settings.
Generation: Automatically create SBOMs during scanning with vulnerability assessments included.
Consumption: Import SBOMs from suppliers. DevGuard normalizes data into unified vulnerability management.
Public Endpoints: Expose SBOMs for downstream consumers: /api/v1/public/{assetId}/sbom.json
SPDX Support: Coming Soon - SPDX generation and consumption planned for future release.
Related Documentation
- CSAF & VEX Standards - Vulnerability communication formats
- External Vulnerability Sync - Importing/exporting SBOMs
- Why Compliance Matters - Business case for SBOMs
References
Footnotes
-
CycloneDX, CycloneDX Specification, OWASP Foundation, https://cyclonedx.org/specification/overview/ ↩
-
Linux Foundation, SPDX Specification, https://spdx.dev/specifications/ ↩