When discussing SBOMs, two prominent formats are widely recognized in the industry: SPDX (Software Package Data Exchange), backed by the Linux Foundation, and CycloneDx, supported by OWASP. Both schemas are compatible with various data types, such as XML, JSON, or YAML.

However, not all tools support both formats. Some tools can only generate, consume, or process one of the two. In some cases, they only support specific versions of these formats. As a result, there emerged a need to convert SBOMs between SPDX and CycloneDx.

While the schematics of an SPDX and a CycloneDX SBOM are defined by the standardization, the dependencies can look very different in the generated SBOM. The results depend on the phase of the software development lifecycle and how the generator that produces the SBOM supports all the functionalities.