Two years after Executive Order 14028 put Software Bill of Materials on every security team's radar, the SBOM tooling ecosystem has matured from a handful of experimental tools to a crowded market. By September 2023, there are dozens of SBOM generators, two competing formats, and a growing set of analysis and management platforms. But maturity doesn't mean simplicity. Choosing the right tools still requires understanding what SBOMs actually need to do for your organization.
The Format Question: SPDX vs. CycloneDX
The two dominant SBOM formats continue to be SPDX and CycloneDX, and the debate over which to use remains lively.
SPDX (Software Package Data Exchange) became an ISO standard (ISO/IEC 5962:2021) and has deep roots in the Linux Foundation. SPDX 2.3, released in 2022, added support for security references and improved relationship modeling. SPDX 3.0, under development in 2023, promises a significant overhaul with a more modular architecture.
SPDX's strengths lie in license compliance (its original use case) and its ISO standardization. Its weaknesses include a complex specification and inconsistent tooling support across the full spec.
CycloneDX, maintained by OWASP, was designed from the ground up for security use cases. CycloneDX 1.5, released in June 2023, added significant capabilities including machine learning model transparency (ML-BOM), cryptographic asset tracking, and improved service/API modeling.
CycloneDX's strengths are its security focus, simpler specification, and faster iteration cycle. Its weakness is less support for detailed license and relationship modeling compared to SPDX.
Practical advice: For most security-focused teams, CycloneDX is the more natural fit. Its tooling ecosystem is strong, the specification is easier to work with, and the security-first design means fewer gaps when using SBOMs for vulnerability management. SPDX is the better choice when license compliance is the primary use case or when working with organizations that mandate it.
SBOM Generators
The generator landscape has consolidated around several mature tools:
Syft (Anchore)
Syft has emerged as one of the most capable open-source SBOM generators. It supports both SPDX and CycloneDX output, handles container images and filesystems, and covers a wide range of package ecosystems. Syft's integration with Grype (Anchore's vulnerability scanner) provides a clean workflow from SBOM generation to vulnerability analysis.
Trivy (Aqua Security)
Trivy evolved from a container vulnerability scanner into a comprehensive security scanner that includes SBOM generation. Trivy can generate SBOMs for container images, filesystems, and git repositories, outputting in both SPDX and CycloneDX formats. Its scanning capabilities make it a good all-in-one tool.
cdxgen (CycloneDX Generator)
cdxgen is the official CycloneDX SBOM generator, supporting over 20 programming languages and ecosystems. It's particularly strong for application-level SBOMs, understanding language-specific dependency resolution in ways that file-system scanners can miss.
Microsoft SBOM Tool
Microsoft's open-source SBOM tool generates SPDX-format SBOMs and integrates with Azure DevOps pipelines. It's optimized for Windows and .NET ecosystems.
SPDX SBOM Generator (LF/SPDX)
The official SPDX generator from the Linux Foundation covers a solid range of ecosystems. It's the reference implementation for SPDX format but can lag behind third-party tools in ecosystem coverage.
What Generators Miss
No generator is complete. Common gaps include:
Vendored dependencies. Dependencies that are copied directly into a project's source tree (common in Go and C/C++) may not be detected.
System packages. Applications that depend on system-installed libraries (OpenSSL, zlib, etc.) often aren't captured by application-level SBOM generators.
Build tools and CI dependencies. The tools used to build your software (compilers, linters, test frameworks) are typically not included in SBOMs but can be vectors for supply chain attacks.
Runtime-only dependencies. Packages loaded dynamically at runtime, fetched from remote sources, or injected through plugins may not appear in build-time SBOMs.
Firmware and hardware. SBOM generation for firmware, embedded systems, and hardware components remains nascent.
SBOM Analysis and Management
Generating an SBOM is step one. Making it useful requires analysis and management tooling:
Dependency-Track (OWASP)
Dependency-Track is the leading open-source platform for SBOM analysis. It ingests CycloneDX SBOMs, correlates components against vulnerability databases (NVD, GitHub Advisories, OSV), and provides dashboards and alerting. It handles multiple projects and tracks vulnerability status over time.
Grype (Anchore)
Grype is a vulnerability scanner that works with Syft-generated SBOMs. It's fast, covers multiple vulnerability databases, and integrates well into CI/CD pipelines. It's a scanner rather than a management platform, best suited for pipeline gates rather than ongoing monitoring.
OSV-Scanner (Google)
Google's OSV-Scanner uses the Open Source Vulnerabilities database to identify known vulnerabilities in dependencies. It can consume SBOMs or scan lock files directly, and benefits from the OSV database's broad coverage across multiple ecosystems.
Practical SBOM Implementation
For organizations starting their SBOM journey in 2023, here's a practical path:
- Start with CI/CD integration. Generate SBOMs as part of your build pipeline, not as a one-time exercise.
- Choose CycloneDX for security, SPDX for compliance. Or generate both if you need to.
- Use Syft or Trivy for container images, cdxgen for application code.
- Feed SBOMs into Dependency-Track for ongoing monitoring and vulnerability tracking.
- Automate, then expand. Start with your most critical applications and expand coverage over time.
- Store SBOMs as build artifacts. They should be versioned and accessible alongside the software they describe.
How Safeguard.sh Helps
Safeguard.sh provides an integrated SBOM management platform that handles generation, analysis, and ongoing monitoring in a single workflow. Our platform supports both CycloneDX and SPDX formats, generates SBOMs across your entire stack (applications, containers, infrastructure), and provides continuous vulnerability monitoring with reachability analysis to prioritize real risks over theoretical ones. Safeguard.sh goes beyond what open-source tools offer individually by correlating SBOM data across your organization, tracking component usage patterns, and providing the compliance reporting that regulatory requirements demand.