Supported Formats & Standards
Supported SBOM formats, attestation types, and standards
Ensuring that your tools and solutions work seamlessly with your existing tech stack is paramount. SBOM Observer supports a wide range of industry-standard formats and attestation types.
Supported SBOM Formats
Below is a list of supported SBOM Formats.
| SBOM standard | Formats | Version | More information |
|---|---|---|---|
| CycloneDX | JSON, XML | 1.0 - 1.6 | Learn more |
| SPDX | JSON, YAML, RDF (RDF/XML), tag:value (flat text file) | 2.1 - 2.3 | Learn more |
Supported Attestation Types
SBOM Observer supports the following types of attestations:
| Attestation Type | Description |
|---|---|
| SBOM | Software Bill of Materials – A comprehensive inventory of software components. |
| HBOM | Hardware Bill of Materials – A detailed list of hardware components and their dependencies. |
| CBOM | Coming soon: Cryptography Bill of Materials – A detailed inventory of individual software components, including their dependencies and configuration details. |
| CSAF VEX | Coming soon: Common Security Advisory Framework Vulnerability Exploitability eXchange – A standardized format for sharing vulnerability information. |
| CycloneDX VEX | A vulnerability exchange format based on the CycloneDX standard, enabling the automated sharing of vulnerability information. |
| OpenVEX | An open standard for vulnerability exchange that facilitates the communication of vulnerability data and remediation guidance. |
| SLSA | Supply chain Levels for Software Artifacts – A security framework outlining best practices to secure the software supply chain and verify the integrity of software artifacts. Observer supports SLSA Package Provenance |