Software Bill of Materials (SBOM) Format - Have a favorite?

Hey Liquibase Community! I am doing some research around SBOMs so we can put one in place. Anyone have any request for a specific format? There are three main ones in widespread use: (1) Software Package Data Exchange (SPDX), an open source machine-readable format with origins in Linux Foundation (2) CycloneDX (CDX), an open source machine-readable format with origins in the OWASP community; and (3) Software Identification (SWID).

Wondering if anyone has an specific need for one of these?

For the more curious:

Thanks all.

Thanks for posting this for the community, @ktaggart

Would some of our most active community members on the forum please consider sharing your thoughts?
@daryldoak @MikeOlivas @StevenMassaro @cgirard @rcampbell - your input would be appreciated. :slight_smile:


I am actually not familiar with SBOM. I’ll have to look deeper into this. Thanks.

I too am not familiar with this concept. Does anyone know of any other open source projects that produce a SBOM?

I know Jenkins has various BOMs, but I am not personally familiar with their formats. Linux Foundation has a bunch of training/materials Generating a Software Bill of Materials (LFC192) - Linux Foundation - Training and I think this is a good resource too. Software Bill Of Materials: Formats, Use Cases, and Tools - FOSSA