Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

Supply Chain SecuritySoftware Bill of Materials (SBOM)

CycloneDX vs SPDX Standards

30 min
lab
+60 XP

Learning Objectives

  • Compare CycloneDX and SPDX standards
  • Understand the structure of a machine-readable SBOM
  • Generate a basic SBOM using CLI tools

SBOM Standards: CycloneDX vs. SPDX

For SBOMs to be effective across the industry, they must follow standardized, machine-readable formats. Two major standards have emerged: CycloneDX and SPDX.

CycloneDX (OWASP)


Developed by the OWASP community, CycloneDX is a lightweight SBOM standard specifically designed for security use cases and supply chain component analysis.
* Pros: Extremely east to generate, native support for VEX (Vulnerability Exploitability eXchange), and highly optimized for CI/CD automation.
* Use Case: Ideal for modern AppSec and DevSecOps teams.

SPDX (Linux Foundation)


SPDX (Software Package Data Exchange) is an ISO standard (ISO/IEC 5962:2021). It originated in the "Open Source Compliance" world, focusing heavily on licenses and legal provenance.
* Pros: Deeply detailed, standardized at the highest international level, and excellent for legal/IP auditing.
* Use Case: Large enterprise legal departments and aerospace/defense industries.

Anatomy of a JSON SBOM


Regardless of the standard, a modern SBOM usually looks like a large JSON object:









Json



json



{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"components": [
{
"name": "express",
"version": "4.17.1",
"purl": "pkg:npm/express@4.17.1"
}
]
}



This structure allows security tools to programmatically ingest the data and cross-reference it with vulnerability databases.

Answer the Questions0 / 3 completed

📚 KnowledgeQuestion 1

Which SBOM standard is optimized for security and VEX?

Format: *********(9 chars)
Exact match required
⌨️ Hands-OnQuestion 2

Which ISO standard focus on licensing and provenance?

Format: ****(4 chars)
Exact match required
📚 KnowledgeQuestion 3

What machine-readable format do most SBOMs use?

Format: ****(4 chars)
Exact match required
Answer all questions correctly to unlock the next lesson

Interactive Sandbox

Loading sandbox...

Submit Flag

Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}

Previous
Answer all questions to continue