To start adopting SBOMs, specially to replace foreign-resources files, we should decide on a format first. There are two widely adopted formats:
This is as close as possible to a "tabs vs. spaces" situation. They are not really different and most tools work with both. But we need to pick one, otherwise we end up with a mess.
Some links:
- https://blog.sonatype.com/how-to-convert-your-sbom-between-spdx-and-cyclonedx-formats
- https://www.techtarget.com/searchSecurity/tip/SBOM-formats-compared-CycloneDX-vs-SPDX-vs-SWID-Tags
Notes:
- We already use SPDX license headers in puppet
- Generating CDX SBOMs from composer.lock files is easier (the tooling is lacking for SPDX)
- There are tools to convert one to another, so it shouldn't be hard to change it in the future.
I'd say let's vote for it and call it a day?