The State of the SBOM Tool Ecosystems: A Comparative Analysis of SPDX and CycloneDX

TL;DR

This paper compares the maturity, support, and community engagement of SPDX and CycloneDX SBOM tool ecosystems, revealing their distinct strengths and areas for improvement through quantitative analysis of tools, issues, and project health.

Contribution

It offers a comprehensive quantitative comparison of SPDX and CycloneDX ecosystems, highlighting their differences in maturity, support, and community engagement.

Findings

CycloneDX projects show higher developer engagement.

SPDX ecosystem is more mature with broader tool support.

Distinct characteristics and strengths of each ecosystem are identified.

Abstract

A Software Bill of Materials (SBOM) provides transparency by documenting software component metadata and dependencies. However, SBOM adoption depends on tool ecosystems. With two dominant formats: SPDX and CycloneDX - the ecosystems vary significantly in maturity, tool support, and community engagement. We conduct a quantitative comparison of use cases for 170 publicly advertised SBOM tools, identifying enhancement areas for each format. We compare health metrics of both ecosystems (171 CycloneDX versus 470 SPDX tools) to evaluate robustness and maturity. We quantitatively compare 36,990 issue reports from open-source tools to identify challenges and development opportunities. Finally, we investigate the top 250 open-source projects using each tool ecosystem and compare their health metrics. Our findings reveal distinct characteristics: projects using CycloneDX tools demonstrate higher developer engagement and certain health indicators, while SPDX tools benefit from a more mature ecosystem with broader tool availability and established industry adoption. This research provides insights for developers, contributors, and practitioners regarding complementary strengths of these ecosystems and identifies opportunities for mutual enhancement.