Formats and Encoding
Accepted SBOM and VEX formats, encoding rules, and validation
To ensure compatibility, automation, and ease of validation, SBOMs, VEX files, and VDRs must use specific formats and a single encoding method. This section describes which formats are accepted and how the files must be encoded.
Accepted SBOM formats
The following standardized formats are accepted for SBOMs. They define the structure and semantics used to describe software components, their relationships, and associated metadata.
Both CycloneDX and SPDX are supported. All required content listed on this site must be included regardless of the chosen standard.
| Standard | Version | Publisher | Status | Description |
|---|---|---|---|---|
| CycloneDX | 1.6 | OWASP Foundation | ECMA-424 standard | A lightweight, security-focused SBOM standard designed for software supply chain transparency. CycloneDX 1.6 is a stable version aligned with international standardisation efforts and is intended for long-term support. |
| CycloneDX | 1.7 | OWASP Foundation | Expected ECMA-424, 2nd Edition | Minor update to the standard with rapid adaptation and tool support expected. |
| SPDX | 2.2.1, 2.3 | Linux Foundation / SPDX Workgroup | ISO/IEC 5962:2021 (SPDX 2.2.1) | A mature specification for describing software packages, licensing, and component relationships. Supported by a broad set of tools. |
| CSAF VEX/VDR | 2.0 | OASIS | ISO/IEC 20153:2025 | A structured format for communicating vulnerability data (VDR) and status (VEX). |
These are the primary versions referenced on this site, as they are formalized under ECMA and ISO standards.
Note: the SPDX 3.0 standard
The SPDX 3.0 spec, released April 2024, brings support for a variety of use-cases, including VEX and VDR. However, this release makes large changes to the data model and format (JSON-LD) and adoption and tool support remains almost non-existent (fall 2025). It will take some time for this standard to become a viable alternative for operational use.
SBOM, VEX and VDR standards alignment
VEX and VDR artifacts should use the same standard as the SBOM they reference.
- If the SBOM is delivered in CycloneDX, VEX and VDR should also use CycloneDX.
- If the SBOM is delivered in SPDX, VEX and VDR should use either CycloneDX or CSAF.
- CSAF VEX documents are accepted from upstream/third-party suppliers regardless of SBOM formats used.
Other formats, such as OpenVEX, are not accepted unless explicitly approved.
Encoding
All SBOMs, VEX files, and VDRs must be JSON-encoded.
Other encodings (such as XML, YAML, RDF, or Tag/Value) are not supported. JSON has been selected to maximize quality, ensure broad tool support, and simplify automated validation at scale.