Hey everyone! We're at BellSoft trying to figure out which Software Bill of Materials (SBOM) format is the best fit for our hardened images. We're aware that SPDX focuses more on licensing while CycloneDX is tailored for security aspects. However, what we really want to know is what actual users need and prefer. Also, which tools are you using that support these formats?
2 Answers
I've seen both formats in actual use, but it really depends on your specific needs. If you're heavily focused on license data, SPDX is great. However, if you're prioritizing security workflows and vulnerability mapping, CycloneDX is the go-to option. Most tools nowadays tend to favor CycloneDX because security teams are more demanding about it.
For me, CycloneDX is a must since it's aligned with security checks, and it's also recognized as an OWASP standard. Supporting CycloneDX should definitely be a priority, although SPDX can be secondary if needed.
I totally agree! Any SBOM we create needs to be in CycloneDX format.
Absolutely! I’m in a compliance-heavy field, and CycloneDX is crucial for us.
We can support either format, but we're eager to hear what others are using in production. If everyone is on Ratfy which only supports SPDX, it might not make sense to use CycloneDX despite its potential benefits.