SBOM Formats

A Software Bill of Materials (SBOM) is a complete inventory of all components in your software. Rorix supports two industry-standard SBOM formats.

CycloneDX

CycloneDX is an OWASP project designed for application security and supply chain analysis.

Output Formats

JSON (default)
XML

What It Includes

Component name, version, and publisher
Package URLs (purl) for precise identification
License information (SPDX identifiers)
Known vulnerabilities mapped to each component
Dependency graph with transitive relationships
Hash digests for integrity verification

Generate CycloneDX

rorix sbom --format cyclonedx --output sbom.cdx.json

SPDX

SPDX (Software Package Data Exchange) is an ISO/IEC 5962:2021 international standard maintained by the Linux Foundation.

Output Format

JSON

What It Includes

Package metadata and relationships
License information with SPDX expressions
File-level details when available
External references and download locations
Document-level metadata (creator, creation date)

Generate SPDX

rorix sbom --format spdx --output sbom.spdx.json

Comparison

| Feature | CycloneDX | SPDX | | --- | --- | --- | | Primary focus | Security and vulnerability tracking | License compliance and provenance | | Vulnerability data | Included in SBOM | Separate VEX documents | | ISO standard | No | Yes (ISO/IEC 5962:2021) | | Government requirements | Supported for NTIA/EO compliance | Supported for NTIA/EO compliance | | Ecosystem support | npm, NuGet, Maven, PyPI | Broad cross-ecosystem | | Output formats | JSON, XML | JSON | | Dependency graph | Full transitive graph | Relationship descriptions |

Which Format Should You Use?

CycloneDX is recommended if your primary concern is vulnerability management and security analysis. It embeds vulnerability data directly in the SBOM.
SPDX is recommended if you need to meet ISO compliance requirements or if license compliance is your primary concern.

Both formats satisfy U.S. Executive Order 14028 requirements for SBOMs.