SBOM Standards: CycloneDX vs. SPDX

For SBOMs to be effective across the industry, they must follow standardized, machine-readable formats. Two major standards have emerged: CycloneDX and SPDX.

CycloneDX (OWASP)

Developed by the OWASP community, CycloneDX is a lightweight SBOM standard specifically designed for security use cases and supply chain component analysis.
* Pros: Extremely east to generate, native support for VEX (Vulnerability Exploitability eXchange), and highly optimized for CI/CD automation.
* Use Case: Ideal for modern AppSec and DevSecOps teams.

SPDX (Linux Foundation)

SPDX (Software Package Data Exchange) is an ISO standard (ISO/IEC 5962:2021). It originated in the "Open Source Compliance" world, focusing heavily on licenses and legal provenance.
* Pros: Deeply detailed, standardized at the highest international level, and excellent for legal/IP auditing.
* Use Case: Large enterprise legal departments and aerospace/defense industries.

Anatomy of a JSON SBOM

Regardless of the standard, a modern SBOM usually looks like a large JSON object:

Json

json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "components": [
    {
      "name": "express",
      "version": "4.17.1",
      "purl": "pkg:npm/express@4.17.1"
    }
  ]
}

This structure allows security tools to programmatically ingest the data and cross-reference it with vulnerability databases.

Pro Content

CycloneDX vs SPDX Standards

Learning Objectives

SBOM Standards: CycloneDX vs. SPDX

CycloneDX (OWASP)

SPDX (Linux Foundation)

Anatomy of a JSON SBOM

Answer the Questions0 / 3 completed

Interactive Sandbox

Submit Flag