SBOM
How to Read a CycloneDX SBOM: A Line-by-Line Walkthrough
A walkthrough of a CycloneDX 1.6 JSON document — metadata, components, services, dependencies, and vulnerabilities — with a real snippet and what to check first.
Apr 13, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A walkthrough of a CycloneDX 1.6 JSON document — metadata, components, services, dependencies, and vulnerabilities — with a real snippet and what to check first.
A senior engineer's survey of AI-BOM and ML-BOM standards in 2026, from CycloneDX ML components to SPDX 3.0 AI profile, and what to actually ship.
The Safeguard Research team measured SBOM quality across ecosystems and generators. The gaps between formats, tools, and languages are larger than most teams assume.
Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.
Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their own output. A head-to-head.
We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised and we have the numbers.
SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.
A thorough review of Anchore's Syft SBOM generation tool, covering supported formats, language ecosystems, container scanning, and integration patterns.
Your supplier sends SPDX, your platform expects CycloneDX. Here's how to convert between SBOM formats without losing critical data.
Weekly insights on software supply chain security, delivered to your inbox.