Skip to main content

SBOM Formats Supported by Vibgrate CLI

Vibgrate CLI exports CycloneDX and SPDX SBOMs and can generate OpenVEX documents. Learn what each format is for and how to choose the right one for your use case.

Vibgrate Docs

Vibgrate Help

Vibgrate supports more than one supply-chain document format, and choosing the right one saves friction downstream. This reference explains the formats the Vibgrate CLI produces — CycloneDX, SPDX, and OpenVEX — and when to use each. It is written for developers and the teams that consume their SBOMs.

CycloneDX

CycloneDX is a widely adopted SBOM format with strong tooling support across security scanners and dependency-analysis tools. It is a sensible default for most teams. Export it with:

vg sbom export --format cyclonedx --out sbom.cdx.json

Use CycloneDX when you want broad compatibility with vulnerability and policy tooling, or when a consumer has not specified a format.

SPDX

SPDX is another standard SBOM format, common in license-compliance workflows and frequently requested in procurement and legal contexts. Export it with:

vg sbom export --format spdx --out sbom.spdx.json

Use SPDX when a customer, auditor, or legal process specifically asks for it.

OpenVEX

OpenVEX is not an inventory format — it is a way to state whether a known vulnerability actually affects your product. A VEX (Vulnerability Exploitability eXchange) document lets you record, in machine-readable form, decisions like "not affected, because the vulnerable code path is never reached." Vibgrate can generate OpenVEX documents so you can communicate exploitability alongside your SBOM.

Use OpenVEX when you need to reduce vulnerability noise with documented justifications, rather than leaving consumers to evaluate every advisory themselves.

Choosing a format

NeedUse
Broad tooling compatibility, default inventoryCycloneDX
Procurement, legal, or license-compliance requestSPDX
State whether a vulnerability is exploitableOpenVEX

Many teams produce CycloneDX as their primary inventory and add SPDX or OpenVEX only when a specific consumer requires it.

Producing more than one

The formats are not mutually exclusive — run the export once per format you need:

vg sbom export --format cyclonedx --out sbom.cdx.json
vg sbom export --format spdx --out sbom.spdx.json

Tips

  • Pick a primary format and standardize on it across releases.
  • Confirm what your consumers expect before adding extra formats.
  • Keep file naming consistent (for example .cdx.json and .spdx.json) so artifacts are recognizable.

Related

  • "Export a CycloneDX SBOM with Vibgrate CLI" for the step-by-step.
  • "Detecting Vulnerable Dependencies" covers OpenVEX in context.
  • See the vg sbom command documentation for all options.

Related Commands