Beta

Certified Kubernetes Security Specialist (CKS)

Supply Chain Security

SBOM Format

This article explores two widely adopted Software Bill of Materials (SBOM) formats: SPDX and CycloneDX. Both formats have distinct focuses—SPDX emphasizes licensing and legal compliance, while CycloneDX concentrates on security aspects such as identifying vulnerabilities and managing supply chain risks.

SPDX Format

SPDX is a comprehensive SBOM format that organizes information into several key sections to ensure thorough documentation of software packages.

Overview

The SPDX format is structured into the following sections:

  1. Document Information: Contains metadata about the SPDX document, including creator details, creation date, and version.
  2. Relationships: Defines how various components of the SBOM interrelate (e.g., file-to-package or dependency relationships).
  3. Package Information: Provides specific software package details such as name, version, supplier, and verification information (e.g., checksums).
  4. Snippets: Captures smaller sections of code or components, including excerpts from open-source libraries.
  5. File Information: Tracks individual files within the package.
  6. Additional Metadata: Offers extra details like notes, licensing information, and review records to ensure the SBOM’s accuracy.

The image outlines the ISBOM SPDX format, listing categories like Document, Package, File, License, Relationships, Snippets, Annotations, and Review Information.

Example: SPDX Document for NGINX Package

Below is an example JSON snippet representing an SPDX document for the NGINX package. This document follows the SPDX 2.3 specification and was generated by ANKOR using the SIFT tool.

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "nginx",
  "documentNamespace": "https://anchore.com/syft/image/nginx-2a35db70-da10-45cd-b82d-00921857780f",
  "creationInfo": {
    "licenseListVersion": "3.25",
    "creators": [
      "Organization: Anchore, Inc",
      "Tool: syft-1.13.0"
    ]
  },
  "created": "2024-09-24T18:17:42Z"
}

This document is licensed under CC0 1.0 and provides essential metadata about the NGINX package.

Example: SPDX Document for the Grep Package

The following JSON snippet details the SPDX document for the grep package (version 3.8-5). It includes supplier information, licensing details, and security references relevant for vulnerability tracking.

{
  "package": {
    "name": "grep",
    "SPDXID": "SPDXRef-Package-deb-grep-a86139312d2f5a59d",
    "versionInfo": "3.8-5",
    "supplier": "Person: Anibal Monsalve Salazar ([email protected])",
    "originator": "Person: Anibal Monsalve Salazar ([email protected])",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": true,
    "packageVerificationCode": {
      "packageVerificationCodeValue": "6da86e7e3a9f53bf5faee3942e2c8e2551ca7d8d"
    },
    "sourceInfo": "acquired package info from DPKG DB: /usr/share/doc/grep/copyright, /var/lib/dpkg/info/grep.md5sums, /var/lib/dpkg/status",
    "licenseConcluded": "NOASSERTION",
    "licenseDeclared": "GPL-3.0-only AND GPL-3.0-or-later",
    "copyrightText": "NOASSERTION",
    "externalRefs": [
      {
        "referenceCategory": "SECURITY",
        "referenceType": "cpe23Type",
        "referenceLocator": "cpe:2.3:a:grep:grep:3.8-5:*****:*:*:*:*:*:*"
      },
      {
        "referenceCategory": "PACKAGE-MANAGER",
        "referenceType": "url",
        "referenceLocator": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-12"
      }
    ]
  }
}

Example: SPDX File Information for a Pod Namespace Service File

This JSON snippet demonstrates file information for a pod namespace service file, including details such as file types and checksum data.

{
  "file": {
    "fileName": "/usr/lib/systemd/system/pam_namespace.service",
    "SPDXID": "SPDXRef-File---systemd-system-pam-namespace.service-87d70ca1b93138b1",
    "fileTypes": [
      "TEXT"
    ],
    "checksums": [
      {
        "algorithm": "SHA1",
        "checksumValue": "9b870dae75ff7a0c34eeb85e4c9c42a8cfdc10f8"
      },
      {
        "algorithm": "SHA256",
        "checksumValue": "e4dcd011776e596cbb73dcffde737aa043b5308fobf797a23d4229de54d716"
      }
    ],
    "licenseConcluded": "NOASSERTION",
    "licenseInfoInFiles": [
      "NOASSERTION"
    ],
    "copyrightText": "",
    "comment": "layerID: sha256:82e2ab394fabf575000041a8f0801b04e91c7027b7c174fe95332c7ebb6501cb"
  }
}

Note

This snippet records detailed metadata about the file, including file type and checksum information. License details are marked as "NOASSERTION" when no definitive information is provided.

CycloneDX Format

CycloneDX is designed as a lightweight SBOM format that places special emphasis on security and compliance. It is particularly useful for identifying vulnerabilities and managing component dependencies.

Overview

Key sections in the CycloneDX format include:

  • BOM Metadata: Contains general information about the SBOM such as version, timestamp, and creator details.
  • Components List: Enumerates the individual parts or modules within the software.
  • Vulnerabilities: Lists known security vulnerabilities associated with the components.
  • Software Services: Details any services associated with the software.
  • Annotations: Provides additional notes or contextual information.
  • Dependencies and Extensions: Offers further insights into component dependencies and extended metadata.

Example: CycloneDX BOM in JSON

The following JSON snippet illustrates a CycloneDX BOM, showcasing schema information, metadata, and component details.

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:e7f6caab-6589-430d-bb7f-0076d23e9efb",
  "version": 1,
  "metadata": {
    "timestamp": "2024-09-24T18:46:28Z",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "1.13.0"
        }
      ]
    }
  },
  "component": {
    "bom-ref": "eb2d7db1213e6155",
    "type": "container",
    "name": "nginx",
    "version": "sha256:edf555d07d2ddeb6b616d9024442feac12a91310c9a156fa6f60cd602881a"
  },
  "properties": [
    {
      "name": "syft:image:labels:maintainer",
      "value": "NGINX Docker Maintainers <[email protected]>"
    }
  ],
  "components": [
    {
      "bom-ref": "pkg:deb/debian/[email protected]?arch=all&distro=debian-12&package-id=8a498975e59f569c2",
      "type": "library",
      "publisher": "Debian Adduser Developers <[email protected]>"
    }
  ]
}

Note

This CycloneDX BOM snippet highlights the use of the format for documenting containerized applications, and includes metadata about tools utilized during the SBOM generation.

Comparison Between SPDX and CycloneDX

Both SPDX and CycloneDX are powerful SBOM formats, each with their own set of strengths. The table below summarizes their key differences:

FeatureSPDXCycloneDX
Format & ComplexityExtensive metadata with focus on licensing and compliance. Available in JSON and RDF formats.Lightweight format focusing on security and vulnerabilities. Available in JSON and XML formats.
Security FocusDetailed license data and compliance metrics.Emphasizes vulnerability tracking and dependency management.
Ease of UseMore complex due to extensive metadata coverage.Simpler and more focused on security and compliance.

Warning

When choosing an SBOM format, consider your focus—comprehensive legal and licensing details with SPDX versus streamlined security insights with CycloneDX.

The image compares SPDX and CycloneDX, highlighting differences in purpose, format types, complexity, metadata support, license information, dependency tracking, and ease of use.

Watch Video

Watch video content

Previous
Minimize base image footprint
Next
SBOM Workflow