Skip to content

Formats of SBOM

There are different formats of SBOM, but the most famous ones are SPDX & CycloneDX. The core information on the SBOM will be the same, but the formatting & some metadata differs in both formats.


Software Package Data Exchange is a format adopted by the Linux Foundation as an industry-standard in 2010.

SPDX contains the following information - package name, spdx id, package version, files analyzed, licensing information, external references, and packageattribution text. The above field generation might vary depending on which tool you use. For example, the above fields are generated with trivy, but when you use syft, the PackageAttributionText field isn't generated by default.

A sample SPDX entry looks like this,

PackageName: libnpmpublish
SPDXID: SPDXRef-Package-176a8c1442b48512
PackageVersion: 1.1.2
FilesAnalyzed: false
PackageLicenseConcluded: ISC
PackageLicenseDeclared: ISC
ExternalRef: PACKAGE-MANAGER purl pkg:npm/[email protected]
PackageAttributionText: LayerDiffID: sha256:489df5b5b81806db00460727a295011dd2e2c0b558c75f3b2e1299bef4875fc5


CycloneDX is designed by OWASP as a lightweight SBOM standard for application security contexts and supply chain component analysis.

Similar to the above, the below cyclonedx sample is generated from trivy. The output contains SBOM reference, type (library/operating system), name, version, licenses, purl, properties/additional information like layer id, version, etc.

  "bom-ref": "pkg:deb/debian/[email protected]?distro=debian-11.5",
  "type": "library",
  "name": "base-passwd",
  "version": "3.5.51",
  "licenses": [
      "expression": "GPL-2.0"
      "expression": "public-domain"
  "purl": "pkg:deb/debian/[email protected]?distro=debian-11.5",
  "properties": [
      "name": "aquasecurity:trivy:PkgType",
      "value": "debian"
      "name": "aquasecurity:trivy:SrcName",
      "value": "base-passwd"
      "name": "aquasecurity:trivy:SrcVersion",
      "value": "3.5.51"
      "name": "aquasecurity:trivy:LayerDiffID",
      "value": "sha256:7346d8f0d212fbd7e3519f9870c2abb76a2b9fd0859ae8a6b829cfb8659a0861"

SPDX vs CycloneDX

Both the output formats contain detailed information. We can pick whatever is feasible for the use case. If the size is a concern, spdx is recommended but cyclonedx contains verbose information.

Last update: 2022-11-19 14:24:26
Created: 2022-11-19 06:59:59