SBOM Standards and Formats

2 min read Security Testing & Tools

SBOM Standards and Formats

Three primary standards dominate the SBOM landscape, each with unique strengths. SPDX (Software Package Data Exchange), developed by the Linux Foundation, emphasizes license compliance and has achieved ISO standardization. CycloneDX, created by OWASP, focuses on security use cases with rich vulnerability and component metadata. SWID (Software Identification) tags, an older ISO standard, provides software identification but lacks the rich metadata of newer formats.

// Example: CycloneDX SBOM Fragment
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:3e7b4f90-8b7d-4bfe-b9b0-9c83f67d8f92",
  "version": 1,
  "metadata": {
    "timestamp": "2024-01-15T10:30:00Z",
    "tools": [
      {
        "vendor": "Snyk",
        "name": "snyk-cli",
        "version": "1.1080.0"
      }
    ],
    "component": {
      "type": "application",
      "name": "example-app",
      "version": "2.1.0"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:npm/[email protected]",
      "name": "express",
      "version": "4.18.2",
      "purl": "pkg:npm/[email protected]",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "bb7b86c9d3b7b0e3d3b7b0e3d3b7b0e3d3b7b0e3d3b7b0e3"
        }
      ]
    }
  ]
}

Format selection depends on use cases and ecosystem requirements. SPDX excels for license compliance and has strong tooling support. CycloneDX provides superior security metadata and supports modern software architectures including containers and cloud services. Many organizations generate both formats to satisfy different stakeholder needs. SCA tools increasingly support multiple formats with conversion capabilities, enabling flexibility in format choice.