취약점 메타데이터 관점에서 CycloneDX와 SPDX 비교 분석 및 상호운용성 고려사항

Vol. 35, No. 2, pp. 415-424, 4월. 2025
10.13089/JKIISC.2025.35.2.415, Full Text:
Keywords: Software Supply Chain, sbom, Vulnerability Management
Abstract

CycloneDX and SPDX are widely used SBOM (Software Bill of Materials) standards for software supply chain security management. Recently, both standards underwent updates aimed at improving vulnerability management efficiency and enhancing the transparency of the software supply chain. This paper reviews the latest updates to both standards and compares them with a focus on vulnerability metadata. The comparison reveals that CycloneDX adopts a vulnerability management-focused approach, while SPDX takes a vulnerability assessment-centered approach. Additionally, an analysis of the interoperability between the two standards was conducted, identifying challenges in complete conversion due to differences in how vulnerability information is represented and certain constraints. Some potential solutions for addressing these conversion challenges are also proposed.

Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
김지민 and 이만희, "Comparative Analysis of CycloneDX and SPDX from Vulnerability Metadata Perspective and Considerations for Interoperability," Journal of The Korea Institute of Information Security and Cryptology, vol. 35, no. 2, pp. 415-424, 2025. DOI: 10.13089/JKIISC.2025.35.2.415.

[ACM Style]
김지민 and 이만희. 2025. Comparative Analysis of CycloneDX and SPDX from Vulnerability Metadata Perspective and Considerations for Interoperability. Journal of The Korea Institute of Information Security and Cryptology, 35, 2, (2025), 415-424. DOI: 10.13089/JKIISC.2025.35.2.415.