SBOMs – Software Bill Of Materials – are fast becoming crucial components in risk management. Thousands of organizations depend on the actionable data they collect. Still, an even greater number of them are constantly struggling with understanding some of its fundamentals. One of the biggest? SBOM Formats. In this article. we’re going to wrestle with the two main security formats available for SBOMs – SPDX SBOM and CycloneDX SBOM. What is each? How do they differ? And which you should employ.
What Are SBOM Formats?
The Software Bill of Materials – SBOM – is a list of all the hardware and software components in a system — mainly a product. It is used to track inventory, manage procurement, and supervise risks. Today, one of the leading industries that mostly uses SBOM is cybersecurity.
An SBOM can be created manually or by using an automated tool. The most popular format for this list is the comma-delimited text file – .csv. This format is easy to read and it can be easily imported into any spreadsheet program or database management system.
They are in essence a unified structure for creating and sharing SBOMs across different mediums, teams, and consumers. The leading SBOM formats available right now are Software Package Data Exchange – SPDX – CycloneDX, and Software Identification – SWID. The previous two are primarily used for security. While SWIDS focuses on licensing agreements.
As of 2022, the U.S. Cybersecurity and Infrastructure Security Agency – CISA – has declared that we will have to endure multiple SBOM formats for some time — So we might as well get used to it.
SPDX – Software Package Data Exchange – is a standard for the exchange of license information about software packages. The format was generated by the Linux Foundation. The standard is developed and maintained by the Open Source Initiative -OSI.
It provides a single format that can be used to communicate the licenses associated with any given software package, thereby simplifying compliance with open-source licensing requirements.
The SPDX file consists of one or more “License Expressions.” Each License Expression describes one open-source license and includes basic information about it, such as its name, version number, and text of the license.
SPDX files are often used in conjunction with a “package manifest” file that lists all the files in an archive or distribution package along with their corresponding SPDX identifiers.
Let’s look at some of the features available to SPDX SBOM.
SPDX is a standard for defining the rights and obligations of entities that distribute software. It is a specification for the format of machine-readable files containing the rights, obligations, and other information about free and open-source software – FOSS – licenses.
The SPDX format allows users to define property sets, or groups of properties, which are then used in other files as needed. The CycloneDX SBOM format also includes these property sets to help make it easier for users to see what information is being included in the file without having to read through each individual property set.
Largest Collection of File Formats
Among the files SPDX supports we can find: .xlsx, .spdx, .xml, .json, and .yaml.
This SBOM format is the only one that has achieved ISO – International Organization for Standardization – certificate status. This means that it has met and suppressed several quality control tests. As of 202, major corporations – including Intel, Microsoft, Siemens, and Sony – have adopted this standard.
Forward and Backward
SPDX allows forward and backward compatibility with different processing tools.
Can be used to track components in both products as well as the project — CycloneDX can only track components in the project.
Allows highlighting who reviewed what file and when it was reviewed.
CycloneDX is an open-source format for data exchange. The CycloneDX format has been designed to be a generic, flexible, and lightweight format for exchanging data between applications.
CycloneDX has also been designed to be a format for exchanging arbitrary binary data between two applications. It is flexible enough to support binary data with arbitrary bit patterns and can be used in a variety of applications, including but not limited to graphics, audio, and video editing software, scientific computing software for numerical simulations, and many more. CycloneDX provides a platform on which such applications can transfer data without the need for additional plugins or libraries.
CycloneDX was originally designed by Robert Reiner for use in his own application, the free and open-source data visualization software Cyclone. It was then adopted by the non-profit organization Cyclone Open Source Software Foundation, which provides support and maintenance to maintainers of other implementations.
Let’s look at some of the features available to CycloneDX.
CycloneDX SBOM is one of the most popular SPDX formats in use today. It was created by Cyclone Power Technologies Inc., a company that specializes in renewable energy technologies.
CycloneDX is a lightweight SBOM format standard created mostly for application security and supply-chain component analysis. It’s focused on those two departments.
Another key characteristic of CycloneDX is that from the very beginning it was designed to be a BOM format — this means its whole DNA was generated with this purpose in mind.
Its components and services are aligned with the complexity of today’s software ecosystems — that means it supports dynamically not only hardware but cloud and SaaS.
CycloneDX can export to different file formats, but is limited compared to SPDX. Including .xml, .json, and protocol buffers.
What SBOM Format to Use? SPDX SBOM or CycloneDX SBOM?
SPDX is a format for sharing data about the software package. CycloneDX is specifically designed to create SBOMs. There’s no easy answer since both tools are suitable. They each give and generate actionable data — only one, SPDX, is more complex than the other. This is good if you’re a developer, but might be too much – and incredibly hard to untangle – if you’re a vendor or a data scientist.
If you need to saber data with a human, then SPDX is probably your better choice. If you need a quick POV – one that a machine or AI can process in a flash – then CycloneDX is a better fix.