Can we convert between SPDX and CycloneDX?

Yes. Tools such as cyclonedx-cli and spdx-tools include converters. Both formats can carry the SBOM minimum elements; some lossy mapping occurs on edge fields.

Does SPDX support VEX?

SPDX 3.0 introduces a Security profile that includes vulnerability and exploitability assertions, narrowing the historical gap with CycloneDX VEX.

All terms

CybersecurityConnected & Cyber-Physical DevicesSPDX

SPDX

An open SBOM and license-data format published as ISO/IEC 5962:2021.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

SPDX (Software Package Data Exchange) is an open specification, maintained by the Linux Foundation and standardized as ISO/IEC 5962:2021, for communicating software bill-of-materials information including components, licenses, copyrights, and security references. SPDX 3.0 (2024) extends the format with profiles for security, AI/ML, and dataset provenance. It is one of the two SBOM formats explicitly accepted by FDA (the other is CycloneDX).

What the regulation says

FDA's 2023 cybersecurity guidance accepts SPDX as a valid SBOM format. CISA's SBOM minimum elements (NTIA 2021) are satisfiable in SPDX. SPDX is widely used in government and enterprise settings because it is an ISO/IEC standard and integrates naturally with software-license compliance workflows that pre-date SBOM requirements.

What this means in practice

SPDX is most common in build pipelines that already use it for license compliance (e.g., automotive, aerospace, large enterprise software). For MedTech teams choosing fresh, CycloneDX is often easier to pair with VEX, but SPDX is fully acceptable to FDA and a better fit when license attribution is also a deliverable.

Common pitfalls

•Treating SPDX as solely a license-compliance artifact and omitting security-relevant metadata.
•Producing SPDX 1.x or 2.x output when modern tooling expects SPDX 2.3 or 3.0.
•Hand-editing SPDX files instead of generating them from the build - drift is inevitable.

Frequently asked questions

FDA accepts both equally. Pick whichever your toolchain emits natively.

Cross-references

Used by

Things that build on this term.

Software Bill of Materials(SBOM)

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

Linux Foundation·1ISO/IEC·1FDA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: SPDX
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

An open SBOM and license-data format published as ISO/IEC 5962:2021.

·SPDX is most common in build pipelines that already use it for license compliance (e.g., automotive, aerospace, large enterprise software).
·For MedTech teams choosing fresh, CycloneDX is often easier to pair with VEX, but SPDX is fully acceptable to FDA and a better fit when license attribution is also a deliverable.
·SPDX 3.0 (2024) extends the format with profiles for security, AI/ML, and dataset provenance.

Remember this

Watch out: Treating SPDX as solely a license-compliance artifact and omitting security-relevant metadata.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.