Commercial (Proprietary) Tools
Black Duck SCA
Company Contact
Synopsys
SPDX Support
Produce, Import, Analyze
Functionality
Identify application dependencies, and export SPDX SBOM. Import SPDX documents. Analyze dependencies listed in SPDX documents.
Installation Instructions
Versions Supported
2.2 and 2.3. Support for v3.0 in progress
BlackBerry® Jarvis™
Company Contact
BlackBerry Limited
SPDX Support
Produce (Analyze)
Functionality
BlackBerry Jarvis is a cloud based SCA and SAST tool for analyzing binary software images. It produces SBOM documents in SPDX format.
Installation Instructions
Cloud based platform. Contact BlackBerry for a trial or demo.
How to Use
Upload a binary software image using the Web interface or API.
Select “Download SPDX Report” in the scan results.
Versions Supported
SPDX 2.2
Cybeats SBOM Studio
Company Contact
Cybeats Technologies Inc.
SPDX Support
Produce(Analyze), Consume(Import), Transform(Translate), Transform(Merge)
Additional Support
Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)
Functionality
Cybeats SBOM Studio is a cybersecurity software inventory analysis platform. It is built for the pre-market stages of IoT firmware development and helps device makers with mapping, management and design, and enrichment for IoT device’s firmware. Cybeats SBOM Studio generates SBOMs with the runtime data information for more precise identification of vulnerabilities and exploits abilities. The solution models and translates the data into enriched SBOMs. SBOM Studio exports and imports SPDX/CycloneDX formats and enriches the model with vulnerability and context based exploitability data providing visibility into threat modeling and threat intelligence angle of the device.
Location
Website: https://cybeats.com
Installation Instructions
Contact info@cybeats.com for demo
How to Use
Analyze: (Linux) Agent operating on device can scan and inventory system content and information
Import: Model your solution in SBOM Studio and import source and binary SBOM files in SPDX or CycloneDX formats.
Export: Export and share security signed SBOMS in SPDX and CycloneDX formats.
Versions Supported
SPDX 2.2
CyberProtek
Company Contact
MediSAO
SPDX Support
Produce(Analyze), Consume(Import), Transform(Translate)
Functionality
CyberProtek is an SBOM generation and translation tool for IoT that scans code metadata to create SBOMs, translates between SWID/SPDX/CycloneDx and manages vulnerabilities.
Location
Website: https://cyberprotek.com
Installation Instructions
Entirely web based. Contact MedISAO for demo.
How to Use
To import: Upload or paste SBOM into Import tab, or use supported scanning tool in development environment
To export:Download SPDX from SBOM export tab as a text file.from web portal.
Versions Supported
SPDX 2.1, SPDX 2.2
DejaCode
Company Contact
nexB Inc.
SPDX Support
Produce (Analyze, Edit)
Functionality
DejaCode is an enterprise-level open source compliance application, powered by ScanCode. You can generate an SPDX 2.3 SBOM from your Product definitions.
Location
Website: https://enterprise.dejacode.com/
Information: https://nexb.com/
Installation Instructions
Options include:
- Sign up for a free evaluation
- Become a DejaCode SaaS customer
- Install DejaCode on-premises
How to Use
Define (review, approve) the details of your Product in DejaCode. Use the Share option to generate an SPDX 2.3 SBOM in .json format.
Versions Supported
SPDX 2.3
FACT
Company Contact
aDolus Technology Inc.
SPDX Support
Produce(Analyze)
Functionality
Generates SBOMs for Industrial Control System (ICS) software and analyzes the created SBOMs to detect vulnerabilities, obsolescence, and malware.
Location
Installation Instructions
Contact aDolus for demo
How to Use
Through website, API, or local install of tool
Versions Supported
SPDX 2.2
Fortress File Integrity Assurance (FIA)
Company Contact
Fortress
SPDX Support
Produce (Analyze), Consume (Import, View, Diff), Transform (Translate)
Functionality
FIA can create SBOMs from binary or archive, consume externally provided SBOMs, enrich SBOMs with Fortress risk analysis, compare SBOM versions, and track components to support continuous monitoring.
Location
Installation Instructions
SaaS based application. Contact Fortress for a trial or demo.
How to Use
Versions Supported
SPDX 2.2
FOSSID
Company Contact
FOSSID AB
SPDX Support
Produce(Analyze), Consume(View), Consume(Diff), Consume(Import)
Functionality
FOSSID is a Software Composition Analysis tool that scans your code for open source licenses and vulnerabilities, and gives you full transparency and control of your software products and services.
Location
Website: https://fossid.com/
Installation Instructions
Contact FOSSID
How to Use
Contact FOSSID
Versions Supported
SPDX 2.1, SPDX 2.2 (WIP)
Interlynk
Company Contact
Interlynk Inc.
SPDX Support
Produce(Build), Consume(Import), Transform(Edit, Sign, Merge)
Additional Support
Enrich (Security, Licensing), Share (Secure, Trackable), End-to-end Automation
Functionality
Interlynk makes it possible to achieve automated SBOM compliance in real time. Interlynk SBOM Platform builds, collects, patches, signs, and maintains SBOM as soon as a product release is created. The capabilities include fixing common issues, merging part SBOMs into product SBOMs, and finalizing SBOMs for external sharing. The Platform also supports automated delivery to trusted partners and customers with complete and granular control over the SBOM data. A complete audit trail of release and access log of all SBOM compliance activities per partner makes it ideal for sensitive workflows.
Location
Website: https://interlynk.io
Installation Instructions
Contact Interlynk: hello@interlynk.io
How to Use
SaaS platform with API support for CI/CD automation
Versions Supported
SPDX 2.2, SPDX 2.3
Manifest
Company Contact
Manifest Cyber, Inc.
SPDX Support
Produce (Build), Produce (Analyze), Consume(Import), Consume (Diff), Consume(View), Transform(Merge), Transform (Tool Integration)
Additional Support
Enrich (Security Enrichment and Remediation), Share (Signing and Secure Sharing)
Functionality
Manifest is an enterprise solution built to solve the entire SBOM lifecycle. The platform offers SBOM generation, solicitation, management, and secure sharing of both first- and third-party SBOMs in SPDX and CycloneDX formats. Other SBOM workflows include component analysis, license investigation, vulnerability scanning, monitoring, alerting, risk reporting, fix recommendations, and remediation ticketing. Manifest also empowers users to manage VEX documents, and easily integrates with other tools via flexible APIs.
Location
Website: https://www.manifestcyber.com/
Installation Instructions
Reach out to info@manifestcyber.com for a demo and to learn more.
How to Use
Manifest offers a web-based application, open APIs, a command line interface (CLI), and flexible CI/CD pipeline integration.
Versions Supported
SPDX 2.X
MedScan
Company Contact
Medsec
SPDX Support
Consume
Functionality
Consumes SBOMs for helping hospitals manage medical device assets.
Location
Website: https://medsec.com/medscan.html
Installation Instructions
Virtualized appliance inside hospital, Webportal for user, Contact MedSec for demo
How to Use
To import:Locate the device profile relevant to the SBOM, and select ‘add SBOM’
To export: locate the device profile desired and select ‘Download SBOM’
Versions Supported
Revenera
Company Contact
Revenera (https://www.revenera.com)
SPDX Support
- Produce (build, analyze, diff, translate, merge)
- Consume (import, analyze, diff, translate, merge)
Functionality
- Construction of SBOMs via automated scanning & optional manual analysis for a complete and accurate SBOM beyond top-level components and declared dependencies in manifest files (including third-party and commercial)
- Export SBOM data in SPDX/CycloneDX formats along with human readable Excel/HTML
- Import third-party SPDX/CycloneDX SBOMs and normalize data into a single view of SBOM parts across the organization
- Analyze SBOM parts for compliance with legal and security policies
- Alerts for new security vulnerabilities for existing SBOM parts
- Advanced search using various criteria to identify impact across system
Location
Installation Instructions
Contact Revenera for a demo
How to Use
SBOM Construction
- Perform scans as part of CI/CD pipeline or regular cadence/ad-hoc
- Analyze results for SBOM parts beyond package manager declarations (including third-party and commercial)
- Publish findings for review (automated via policy or manual)
- Generate SBOMs in various formats
SBOM Import
- Import third-party SPDX/CycloneDX SBOMs to normalized SBOM parts into a unified view across system
Common Capabilities
- Analyze SBOM parts for compliance with legal and security policies
- Alerts for new security vulnerabilities for existing SBOM parts
- Advanced search using various criteria to identify impact across system
- Generate reports for various stakeholders (legal, security, engineering, release management, product management, OSPO)
- Rich API
Versions Supported
v2.2, v2.3, v3.0 (WIP)
RKVST SBOM Hub
Company Contact
Jitsuin Inc.
SPDX Support
Distribute
Functionality
RKVST SBOM HUB is the first place to find and fetch public or private SBOMs.
Location
Installation Instructions
Free to access SaaS
How to Use
https://support.rkvst.com/hc/en-gb/articles/4412493236241
Versions Supported
SBOM Observer
Company Contact
Bitfront AB
SPDX Support
Import, Analyze
Functionality
SBOM Observer provides a comprehensive SBOM workflow to help you manage your software supply chain. Leverage the powerful combination of the Policy Engine and Operational Model to guarantee the security and compliance of your software.
Location
Installation Instructions
SBOM Observer is a SaaS Platform
How to Use
SBOM Observer is a SaaS Platform with free live demo, to get started see: Using SBOM Observer
Versions Supported
SPDX 2.1, SPDX 2.2, SPDX 2.3
Snyk
Company Contact
Snyk
SPDX Support
Produce(Build, Analyze), Consume(Import, View)
Functionality
Snyk is a developer security platform for the enterprise.
Through its Software Composition Analysis (SCA) products and integrations, Snyk supports the identification of packages and dependencies to produce an SBOM at various points in the SDLC — which can then be exported in SPDX format.
Produce SPDX format SBOMs for container images, manifest files in a file system, or for projects being monitored by Snyk. Snyk can import SPDX format SBOMs to analyze packages and dependencies for known vulnerabilities present in its vulnerability database.
Location
Website – https://snyk.io
Installation Instructions
Contact Snyk for a demo
How to Use
Snyk offers public APIs, a command line interface (CLI), integrations, and a web-based platform. Import and export of Software Bill of Materials is integrated with several parts of the Snyk platform.
Versions Supported
SPDX 2.3
Software Assurance Guardian Point Man (SAG-PM)
Company Contact
Reliable Energy Analytics LLC
SPDX Support
Consume(Import)
Functionality
Processes SPDX SBOMs as part of a seven step software supply chain risk assessment
Location
Installation Instructions
Contained in Company provided Documentation
How to Use
Sag comprehensive {software install pkg} {Evidence output loc}
Versions Supported
SPDX 2.2
SourceAuditor
Company Contact
SourceAuditor
SPDX Support
Produce(Analyze), Consume(View), Consume(Diff, Consume(Import), Transform(Translate)
Functionality
Supports SPDX document exports for full audit analysis of source and binaries. Supports consuming SPDX documents for incremental code audits.
Location
Installation Instructions
Contact gary@sourceauditor.com
How to Use
Primarily used by consultants to generate SPDX documents for source code analysis and audits.
Versions Supported
SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3
TrustSource
Company Contact
TrustSource
SPDX Support
Produce(Analyze)
Functionality
Location
Installation Instructions
How to Use
Primarily used by consultants to generate SPDX documents for source code analysis and audits.
Versions Supported
SPDX 2.1 (WIP)
Vigilant Ops InSight
Company Contact
Vigilant Ops
SPDX Support
Produce(Analyze), Consume(View), Transform(Translate), Transform(Tool Support)
Functionality
Vigilant Ops InSight is a cloud-based platform utilized by both Medical Device Manufacturers (MDM) and Healthcare Delivery Organizations (HDO). MDMs use the platform for generating, maintaining, and securely sharing medical device Cybersecurity Bill of Materials (CBOM) with HDOs. The InSight platform leverages advanced technology, artificial intelligence, and machine learning algorithms to continuously monitor public data sources for component vulnerability updates.
Location
Website: https://vigilant-ops.com/
Installation Instructions
Web based platform. Visit https://vigilant-ops.com/ to request a demo OR email info@vigilant-ops.com
How to Use
To Import: Import of SPDX not currently supported.
To Export: Medical Device Manufacturers (MDM) can generate a CBOM in Vigilant Ops encrypted format using the CBOM Generator. This CBOM can then be uploaded to the web based InSight MDM application using the “Upload CBOM” option. The CBOM can then be exported in SPDX format using the “Export” menu option in the MDM application.
Versions Supported
SPDX 2.1
Vulert
Company Contact
info@vulert.com
SPDX Support
Import, Analyze
Functionality
Vulert is a cloud-based SCA solution that proactively monitors the SBOM files for vulnerable dependencies. No installations are required. It provides real-time alerts and supports API integration for seamless CI/CD automation. Additionally, it is compatible with all major Security Information and Event Management (SIEM) tools.
Location
Installation Instructions
Web-based platform.
How to Use
To use Vulert, first register on the platform and integrate it with your applications—no code access or installations necessary. Set up your alert preferences for real-time vulnerability notifications and, if using CI/CD pipelines, incorporate the Vulert API for automated security checks. Ensure compatibility with your SIEM tool of choice for a holistic security overview.
Versions Supported
SPDX 2.1 , 2.2, and 2.3
