Several different formats can be used for SBOMs, depending on the use case and the software development ecosystem in question. There is no official standard format for SBOM, but CycloneDX and Sofware Package Data Exchange (SPDX) are the most widely adopted and commonly used ones in the industry, and the only two adopted for security use cases.
CycloneDX is a lightweight, open-source format for creating SBOMs that is designed to be easy to create and understand. It is commonly written in XML or JSON and can describe components at both the package and the file levels.
One of the main advantages of CycloneDX is that it is simple to use and can be easily integrated into existing software development workflows. For example, it can be used to generate SBOMs for software packages built using common package managers like npm, pip, and Maven, as well as for individual files.
The CycloneDX specification defines two main elements: the “bom” element, which is the top-level element of the SBOM and contains metadata about the software being described, and the “components” element, which contains the individual components that make up the software. Each component is represented by a “component” element, which contains information such as the component’s name, version, and license.
One of the most important aspects of CycloneDX is that it allows the components to be described hierarchically. This makes it easy to organize and understand the dependencies between different components, which is important for security and compliance purposes.
CycloneDX also supports several different fields that can be used to describe the components. Some of these include:
- “name“: The name of the component
- “version“: The version of the component
- “licenses“: The licenses of the component
- “copyright“: The copyright information of the component
- “homepage“: The homepage of the component
- “description“: The description of the component
Another two important features of CycloneDX are that it is highly extensible, meaning additional fields can be added to the format as needed and that it supports several different ways to specify the software components. It can use package managers like npm, pip, Maven etc. and it can be used to generate an SBOM from a list of files. This flexibility makes it easier to integrate CycloneDX into existing development workflows, regardless of the tools and technologies being used.
CycloneDX makes vulnerability management easier: because it provides a detailed list of all the components and their versions, it makes it easier to check if any known vulnerabilities are present in the software and take the necessary action to fix them. Another important aspect of CycloneDX is its ability to be machine-readable. Many software security solutions can consume CycloneDX formatted SBOM and automate the process of creating and maintaining SBOMs, making it easier to keep track of the components in your software and helping identify vulnerabilities in them.
Software Package Data Exchange (SPDX) is another open-source format that can be used to create SBOMs. Like CycloneDX, it is designed to be simple to use and easy to understand, and it can be used to describe software licenses and other legal information.
The SPDX specification defines several different elements that can be used to describe software, including:
- “Package“: The top-level element of an SPDX document, which contains metadata about the software being described
- “File“: A file that is included in the software package
- “Checksum“: A checksum that can be used to verify the integrity of a file
- “License“: Information about the license under which the software is distributed
- “Document Information“: Metadata about the SPDX document itself, such as the version of the SPDX specification being used
One of the main advantages of SPDX is that it is already widely supported across the industry, and used by many different organizations, and it also has an extensible format, which means that additional fields can be added to the format as needed. It can include information about the origin of the software, such as the name of the creator and the organization that distributed it, and information about any patent licenses that may be associated with the software.
Like CycloneDX, SPDX can be used to create machine-readable SBOMs, which can be easily processed by software security tools to identify vulnerabilities and compliance issues in the software.
One use case of SPDX is the management of open-source software licenses. Because SPDX documents provide detailed information about the licenses under which software is distributed, they can be used to ensure that an organization complies with open-source license obligations and can also be used to track the use of open-source software within an organization.
What are the differences?
Both CycloneDX and SPDX provide a good solution for creating SBOMs, but they are different in the level of information they provide and their purpose. While CycloneDX is slightly more focused on describing the components of the software, SPDX aims to provide a more comprehensive view of the software, including detailed information about the licenses and legal information. Choosing one format over the other depends on the specific use case and the information that is required for that use case.
Some key differences between the two formats:
- Purpose: The main purpose of CycloneDX is to provide a simple and flexible format for creating SBOMs that can be easily integrated into existing software development workflows. SPDX, on the other hand, was originally developed to provide a standard format for exchanging information about software licenses and legal information.
- Components Description: CycloneDX focuses on describing the components of the software, including the names, versions, and licenses of the components, as well as the dependencies between them. SPDX also includes information about the components, but it also provides detailed information about the licenses and legal information of the software, such as the name of the creator and the organization that distributed it, and information about any patent licenses that may be associated with the software.
- Machine-Readable: While both CycloneDX and SPDX can be used for vulnerability management, the CycloneDX provides a more detailed list of the components and their versions, making it easier to check if any known vulnerabilities are present in the software, While SPDX mainly focuses on providing detailed information about the licenses and legal information of the software.
- Project Size: CycloneDX is designed to be lightweight and easy to create and understand, making it usually well-suited for use in small to medium-sized software development projects. SPDX, on the other hand, is more comprehensive and provides more detailed information, making it frequently better suited for larger, more complex software development projects.
It is important to specify that there are multiple tools available (most of them open-source) that allow the conversion from one format to another. In addition, an increasing number of software for producing and managing SBOMs usually is capable of dealing with both of them.