cyclonedx
Safeguard articles tagged "cyclonedx" — guides, analysis, and best practices for software supply chain and application security.
71 articles
How Snyk's AI-BOM API lets teams query AI component inven...
How Snyk's AI-BOM API exposes AI model and dataset inventories as queryable, CycloneDX-aligned data teams can pull into CI, GRC, and asset tooling programmatically.
SBOM Format Wars: CycloneDX vs SPDX in Practice
CycloneDX and SPDX both claim to be "the" SBOM standard. Here's where they actually diverge on VEX support, license compliance, and government mandates — and which to pick.
VEX Documents: The Missing Context That Makes SBOMs Actio...
SBOMs list every component but stay silent on whether a CVE is actually exploitable. VEX documents supply that missing context — here's how the standard works.
SBOM File Formats, Explained
An SBOM file is only useful if the tools reading it agree on its structure — here's what CycloneDX, SPDX, and SWID actually look like and when each one fits.
SBOM Example: Reading a Real CycloneDX and SPDX Document
One component, two formats: a field-by-field walkthrough of a real CycloneDX and SPDX SBOM — purls, licenses, hashes, dependency graphs, and how to validate your own.
Java SBOM Generation Tools Compared
Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their own output. A head-to-head.
SBOM Quality Benchmarking: What We Found in 2024
We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised and we have the numbers.
CycloneDX vs SPDX in Practice: Choosing an SBOM Format
Both formats are standards, both are mandated somewhere, and your tooling probably emits both. What actually differs when you run CycloneDX and SPDX in production.
CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them
The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and lets you query and export in either format.
What is an SBOM Drift
SBOM drift is the gap between what your software bill of materials claims and what the artifact actually contains. Here's how it happens and how to detect it with a diff.
Migrating SBOM Tooling Providers
A practical field guide to switching SBOM tooling vendors without losing historical data, breaking compliance reports, or annoying the auditors.
Medical Device SBOM Requirements in Practice
SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.