Cloudflare Cowboy
← All articles

Knowledge base

SPDX vs CycloneDX

If you are producing an SBOM, you will produce it in one of two formats: SPDX or CycloneDX. Here is where each came from, what each is good at, and how to choose.

5 min read · Updated June 26, 2026

Two standards, the same job

SPDX and CycloneDX are both open, machine-readable formats for describing the components in a piece of software. They overlap heavily, and most tooling can emit either. The differences come down to heritage: SPDX grew out of license compliance, and CycloneDX grew out of application security.

SPDX

SPDX (Software Package Data Exchange) is stewarded by the Linux Foundation and is an international standard: ISO/IEC 5962:2021, which standardized SPDX version 2.2.1. SPDX 3.0, released in April 2024, reorganized the spec into profiles (licensing, security, build, AI and dataset) but is not yet the ISO-published version, so an "ISO SBOM" today still refers to 2.2.1.

SPDX has the deepest support for license expressions and is the long-standing choice where licensing and compliance are the priority.

CycloneDX

CycloneDX is stewarded by OWASP and was ratified as an Ecma International standard, ECMA-424 (1st edition, June 2024, covering CycloneDX 1.6). It was designed security-first and has first-class support for vulnerabilities, VEX (exploitability statements), services, and machine-learning bills of materials.

CycloneDX tends to be the choice where vulnerability management and supply-chain security are the priority. It is also widely used in the application-security tooling ecosystem.

How to choose

SPDXCycloneDX
StewardLinux FoundationOWASP
StandardISO/IEC 5962:2021ECMA-424
RootsLicense complianceApplication security
Strongest atLicense expressionsVulnerabilities and VEX

In practice the choice matters less than people expect. Pick one as your default, generate it automatically in CI, and be ready to produce the other when a customer or regulator asks. Conversion tools exist, and many platforms ingest both, so you are rarely locked in.

The honest answer

If compliance is your driver, lean SPDX. If security is your driver, lean CycloneDX. If you have no strong reason, CycloneDX is the more common default in modern security tooling. Either is a defensible choice.

Frequently asked questions

Is SPDX or CycloneDX better?

Neither is universally better. SPDX has deeper license-compliance roots and is an ISO standard; CycloneDX is security-first with strong vulnerability and VEX support and is an Ecma standard. Choose based on whether compliance or security is your primary driver.

Is SPDX an official standard?

Yes. SPDX 2.2.1 is published as ISO/IEC 5962:2021. SPDX 3.0 (2024) is newer but has not yet been published as an ISO update.

Is CycloneDX a standard?

Yes. CycloneDX 1.6 was ratified as Ecma International standard ECMA-424 (1st edition, June 2024). It is stewarded by OWASP.

Do I have to choose just one format?

No. Pick one as your default and generate it in CI, but conversion tools and multi-format platforms mean you can produce the other when asked. You are rarely locked into a single format.

Keep reading

What is an SBOM? A Software Bill of Materials is a complete, machine-readable inventory of everything your software is built from. Here is what that means, what goes in one, and why it has become a requirement rather than a nice-to-have. Who needs an SBOM? The regulations driving demand A few years ago an SBOM was a nice-to-have. Now it is a procurement requirement in several major markets. Here is who is mandating them and when. What is software composition analysis (SCA)? If an SBOM is the inventory of what your software is made of, software composition analysis is what reads that inventory and tells you where the risk is.

Sources

Part of the software supply-chain field notes on this site. Written by Antoni K Pestka.