When an SBOM follows an established standard format, the chances increase that it can be read, understood and used by various systems and stakeholders. Two of the most common formats today are CycloneDX and SPDX. Both offer a structured way to document software components, licenses, dependencies and vulnerabilities – but they also have their unique advantages and use cases.
CycloneDX (OWASP) – now an Ecma International Standard
CycloneDX1 was originally created by OWASP to enable simple and clear description of software compositions, with particular emphasis on security analysis.
With version 1.6 now becoming an approved standard by Ecma International, the format has received an additional quality stamp that contributes to its strong position in the industry.
-
Greater trust and stability: That Ecma International stands behind CycloneDX means the format has undergone a rigorous review process.
-
Broader acceptance globally: Ecma standards are known and respected, which promotes adoption within both industry and public sector.
-
Seamless interoperability: Tools and platforms that support CycloneDX can exchange SBOM information without risk of misinterpretation.
-
Future-proof development: The standard is managed and further developed in a way that provides long-term stability and predictability for organizations investing in the format.
SPDX (Software Package Data Exchange - Linux Foundation)
SPDX2 has its roots in the Linux Foundation and is a well-known SBOM format that originally placed great focus on license information and compliance. Today it also covers a broad set of data related to software components.
As a standardized solution, SPDX facilitates collaborations and information exchanges, not least within open source and commercial projects where licenses and vulnerabilities need to be carefully monitored. SPDX is not an ECMA standard, but is instead adopted as an ISO standard (ISO/IEC 5962:2021).
SCA tools and SBOM generation
Virtually all SCA (Software Composition Analysis) tools on the market today can generate SBOMs in one of the standardized formats CycloneDX and SPDX. This means that, directly in the existing development environment, you can get an updated and detailed inventory of the software's components, including any vulnerabilities and license information.
This makes it easier to keep track of which components are used in both internally developed software and software used from suppliers or open source.
By utilizing standard formats such as CycloneDX and SPDX, SBOM becomes not just an internal checklist, but a powerful communication and analysis tool that can be used by the entire supply chain.
This makes it significantly easier to meet increasingly high requirements for security, transparency and compliance – both today and in the future.