CRA Ledger home
Join early access
Back to resources

SBOM evidence6 min readUpdated May 22, 2026

CycloneDX vs SPDX for CRA readiness workflows

How supported SBOM formats can feed intake, normalization, vulnerability review, and retained evidence.

For SBOM and platform owners

Both formats can support evidence workflows.

CycloneDX and SPDX are common SBOM formats. What matters operationally is whether the file can be ingested, retained, normalized, and connected to later review work.

Format support should be explicit.

Teams should confirm which CycloneDX or SPDX files their intake workflow accepts before relying on downstream review evidence.

Normalization connects format to review.

Once ingested, component data needs to become reviewable product-version inventory that can connect to CVE review and evidence history.

Product alignment

How CRA Ledger maps this into a workflow

Product-version record

Released versions are anchored with metadata.

SBOM retained

Original formats are retained with source-artifact context.

Vulnerability review tracked

CVE triage decisions document ownership.

Remediation status connected

Fix updates and SLA tracking stay visible.

Decisions & timestamps preserved

Provenance is recorded for every decision.

Readiness evidence summarized

Evidence summaries keep output context reviewable.

See the product workflow

Notice

Operational guidance only. Confirm product scope and CRA duties with official sources and advisers.

CRA Ledger supports readiness workflows and evidence organization. It does not guarantee compliance or replace legal advice.

Related resources

Continue through the evidence workflow

SBOM managementProduct intakeBook demoBrowse all resources