0
The State of the SBOM Tool Ecosystems: A Comparative Analysis of SPDX and CycloneDX
arXiv:2512.21781v1 Announce Type: new
Abstract: A Software Bill of Materials (SBOM) provides transparency by documenting software component metadata and dependencies. However, SBOM adoption depends on tool ecosystems. With two dominant formats: SPDX and CycloneDX - the ecosystems vary significantly in maturity, tool support, and community engagement. We conduct a quantitative comparison of use cases for 170 publicly advertised SBOM tools, identifying enhancement areas for each format. We compare health metrics of both ecosystems (171 CycloneDX versus 470 SPDX tools) to evaluate robustness and maturity. We quantitatively compare 36,990 issue reports from open-source tools to identify challenges and development opportunities. Finally, we investigate the top 250 open-source projects using each tool ecosystem and compare their health metrics. Our findings reveal distinct characteristics: projects using CycloneDX tools demonstrate higher developer engagement and certain health indicators, while SPDX tools benefit from a more mature ecosystem with broader tool availability and established industry adoption. This research provides insights for developers, contributors, and practitioners regarding complementary strengths of these ecosystems and identifies opportunities for mutual enhancement.
Abstract: A Software Bill of Materials (SBOM) provides transparency by documenting software component metadata and dependencies. However, SBOM adoption depends on tool ecosystems. With two dominant formats: SPDX and CycloneDX - the ecosystems vary significantly in maturity, tool support, and community engagement. We conduct a quantitative comparison of use cases for 170 publicly advertised SBOM tools, identifying enhancement areas for each format. We compare health metrics of both ecosystems (171 CycloneDX versus 470 SPDX tools) to evaluate robustness and maturity. We quantitatively compare 36,990 issue reports from open-source tools to identify challenges and development opportunities. Finally, we investigate the top 250 open-source projects using each tool ecosystem and compare their health metrics. Our findings reveal distinct characteristics: projects using CycloneDX tools demonstrate higher developer engagement and certain health indicators, while SPDX tools benefit from a more mature ecosystem with broader tool availability and established industry adoption. This research provides insights for developers, contributors, and practitioners regarding complementary strengths of these ecosystems and identifies opportunities for mutual enhancement.
Anonymous
No comments yet.