The State of the SBOM Tool Ecosystems

A Comparative Analysis of SPDX and CycloneDX

{{ author.name }} {{ author.affil }}
GitHub Repo Read More
{{ stat.value }}
{{ stat.label }}

Abstract

A Software Bill of Materials (SBOM) provides transparency and accountability for a software release by documenting the metadata of its components and their dependencies. However, the adoption and utility of SBOMs depend heavily on the tools that generate, analyze, and manage them. With two dominant SBOM formats β€” SPDX and CycloneDX β€” the ecosystems surrounding these formats vary significantly in maturity, tool support, and community engagement. We conduct a quantitative comparison of use cases for 108 open-source and 62 proprietary SBOM tools, compare the health metrics of each format's entire tool ecosystem (171 CycloneDX vs. 470 SPDX tools), analyze 36,990 GitHub issue reports, and investigate the characteristics of the top 250 open-source projects using each format's tools. Our findings reveal distinct characteristics: while projects using CycloneDX tools demonstrate higher developer engagement, SPDX tools benefit from a more mature and extensive ecosystem with broader tool availability.

Motivation

{{ point.icon }}
{{ point.title }}
{{ point.body }}

Methodology

A 4-RQ empirical study combining manual tool analysis, CHAOSS health metrics, GitHub issue mining, and CI pipeline adoption analysis.

{{ idx + 1 }}
{{ step.icon }}
{{ step.title }}
{{ step.desc }}
{{ step.stat }}

Research Questions

{{ rq.id }}

{{ rq.question }}

RQ1

Use Case Coverage

Which use cases do the current SBOM tools support?

{{ kf.value }}
{{ kf.label }}

{{ kf.note }}

Use Case Support: SPDX vs. CycloneDX (Open-Source Tools)

Percentage of tools supporting each SBOM use case

{{ uc.name }}

{{ uc.desc }}

SPDX: {{ uc.spdx }} CDX: {{ uc.cdx }}
RQ2

Ecosystem Health

How is the health of current OSS SBOM tools distributed?

πŸ’‘
Key Insight

CycloneDX tools generally exhibit higher contributor activity, more frequent commits, and shorter issue resolution times, reflecting stronger recent momentum. SPDX tools, however, benefit from a larger and more established ecosystem with broader tool availability β€” 471 vs. 171 open-source tools. Practitioners should weigh both format maturity and ecosystem vitality.

{{ hm.icon }}
{{ hm.metric }}
{{ hm.spdx }}
SPDX
{{ hm.cdx }}
CycloneDX

CHAOSS Health Metrics Comparison

Median values across open-source tools in each ecosystem

RQ3

Areas for Improvement

What are the areas for improvement in the OSS SBOM tools?

36,990
GitHub Issues Analyzed

Across all open-source SPDX & CycloneDX tools

174%
Faster Bug Resolution

CycloneDX resolves bug-related issues 174% faster than SPDX

1.1%
SPDX 3.0 Adoption

Only 5 of 456 SPDX tool repos advertise SPDX 3.0 support

SPDX Issue Categories

Distribution of issue types

CycloneDX Issue Categories

Distribution of issue types

πŸ“ˆ
Regulatory Inflection Point

Issue activity shows a visible inflection following the 2021 NTIA executive order mandating SBOM adoption. This illustrates how external regulatory events can reshape open-source development dynamics at ecosystem scale.

RQ4

Adopter Project Profiles

How is the health of GitHub projects that use SBOM tools distributed?

πŸ’‘
Key Insight

Projects with a higher number of commits tend to adopt tools with reporting capabilities, while projects with fewer commits prefer tools focused on SBOM editing. More active projects (more stars, watchers, releases, PRs, contributors) are more likely to adopt CycloneDX-based tools.

Top-250 Adopter Project Comparison

Median health metrics of top-250 CI-adopting projects per format

{{ ah.icon }}
{{ ah.title }}
{{ ah.body }}

Implications

{{ imp.icon }}
{{ imp.title }}

{{ imp.body }}

Citation

If you use this work, please cite:

BibTeX 
{{ bibtex }}