Vibgrate supports more than one supply-chain document format, and choosing the right one saves friction downstream. This reference explains the formats the Vibgrate CLI produces — CycloneDX, SPDX, and OpenVEX — and when to use each. It is written for developers and the teams that consume their SBOMs.
CycloneDX
CycloneDX is a widely adopted SBOM format with strong tooling support across security scanners and dependency-analysis tools. It is a sensible default for most teams. Export it with:
vg sbom export --format cyclonedx --out sbom.cdx.json
Use CycloneDX when you want broad compatibility with vulnerability and policy tooling, or when a consumer has not specified a format.
SPDX
SPDX is another standard SBOM format, common in license-compliance workflows and frequently requested in procurement and legal contexts. Export it with:
vg sbom export --format spdx --out sbom.spdx.json
Use SPDX when a customer, auditor, or legal process specifically asks for it.
OpenVEX
OpenVEX is not an inventory format — it is a way to state whether a known vulnerability actually affects your product. A VEX (Vulnerability Exploitability eXchange) document lets you record, in machine-readable form, decisions like "not affected, because the vulnerable code path is never reached." Vibgrate can generate OpenVEX documents so you can communicate exploitability alongside your SBOM.
Use OpenVEX when you need to reduce vulnerability noise with documented justifications, rather than leaving consumers to evaluate every advisory themselves.
Choosing a format
| Need | Use |
|---|---|
| Broad tooling compatibility, default inventory | CycloneDX |
| Procurement, legal, or license-compliance request | SPDX |
| State whether a vulnerability is exploitable | OpenVEX |
Many teams produce CycloneDX as their primary inventory and add SPDX or OpenVEX only when a specific consumer requires it.
Producing more than one
The formats are not mutually exclusive — run the export once per format you need:
vg sbom export --format cyclonedx --out sbom.cdx.json
vg sbom export --format spdx --out sbom.spdx.json
Tips
- Pick a primary format and standardize on it across releases.
- Confirm what your consumers expect before adding extra formats.
- Keep file naming consistent (for example
.cdx.jsonand.spdx.json) so artifacts are recognizable.
Related
- "Export a CycloneDX SBOM with Vibgrate CLI" for the step-by-step.
- "Detecting Vulnerable Dependencies" covers OpenVEX in context.
- See the vg sbom command documentation for all options.