Interview › Security & DevSecOps
What is the difference between SPDX and CycloneDX SBOM formats? [Intermediate]
Answer
SPDX and CycloneDX are two common SBOM formats. SPDX is widely used for license and package metadata, while CycloneDX is security-focused and commonly used for vulnerability management, dependency relationships, services, and security metadata. Both can be valid depending on ecosystem and tooling.
Technical explanation
SPDX originated strongly around software package data and license compliance.
CycloneDX has strong adoption in application security and supports rich security use cases such as vulnerabilities, services, and compositions.
The best format is the one your scanners, artifact stores, customers, and compliance workflows can consume reliably.
Hands-on example
Example: generate CycloneDX for CI vulnerability workflows and customer security portals. Generate SPDX when legal/license compliance tooling requires it. Store both against the same image digest if the organization has both security and license-audit consumers.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]