Commercial (Proprietary) Tools

These are tools offered by Commercial Vendors which are not open sourced.

CybeatsvSBOM Studio

Company Contact	Cybeats Technologies Inc.
SPDX Support	Produce(Analyze), Consume(Import), Transform(Translate), Transform(Merge), Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)
Additional Support	Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)
Functionality	Cybeats SBOM Studio is a cybersecurity software inventory analysis platform. It is built for the pre-market stages of IoT firmware development and helps device makers with mapping, management and design, and enrichment for IoT device’s firmware. Cybeats SBOM Studio generates SBOMs with the runtime data information for more precise identification of vulnerabilities and exploits abilities. The solution models and translates the data into enriched SBOMs. SBOM Studio exports and imports SPDX/CycloneDX formats and enriches the model with vulnerability and context based exploitability data providing visibility into threat modeling and threat intelligence angle of the device.
Location	Website: https://cybeats.com
Installation instructions	Contact: info@cybeats.com for demo
How to use:	Analyze: (Linux) Agent operating on device can scan and inventory system content and information Import: Model your solution in SBOM Studio and import source and binary SBOM files in SPDX or CycloneDX formats. Export: Export and share security signed SBOMS in SPDX and CycloneDX formats.
Versions supported:	SPDX 2.2

CyberProtek

Company Contact	MediSAO
SPDX Support	Produce(Analyze), Consume(Import), Transform(Translate)
Functionality	CyberProtek is an SBOM generation and translation tool for IoT that scans code metadata to create SBOMs, translates between SWID/SPDX/CycloneDx and manages vulnerabilities.
Location	Website: https://cyberprotek.com
Installation instructions	Entirely web based. Contact MedISAO for demo.
How to use	To import: Upload or paste SBOM into Import tab, or use supported scanning tool in development environment To export:Download SPDX from SBOM export tab as a text file.from web portal.
versions supported:	SPDX 2.1, SPDX 2.2 (WIP)?

DejaCode

Company	nexB Inc.
Product	DejaCode
SPDX Support	Produce (Analyze, Edit)
Functionality	DejaCode is an enterprise-level open source compliance application, powered by ScanCode. You can generate an SPDX 2.3 SBOM from your Product definitions.
Location	Website: https://enterprise.dejacode.com/ Information: https://nexb.com/
Installation instructions	Options include: Sign up for a free evaluation Become a DejaCode SaaS customer Install DejaCode on-premises
How to use	Define (review, approve) the details of your Product in DejaCode. Use the Share option to generate an SPDX 2.3 SBOM in .json format.
Versions supported	SPDX 2.3

FACT

Company	aDolus Technology Inc.
Product	FACT
SPDX Support	Produce(Analyze)
Functionality	Generates SBOMs for Industrial Control System (ICS) software and analyzes the created SBOMs to detect vulnerabilities, obsolescence, and malware.
Location	Website: https://www.adolus.com/ https://fact.adolus.com/Files/Analyze
Installation instructions	Contact aDolus for demo
How to use	Through website, API, or local install of tool
Version Supported	SPDX 2.2

FOSSID → Snyk

Company Contact	FOSSID AB
SPDX Support	Produce(Analyze), Consume(View), Consume(Diff), Consume(Import)
Functionality	FOSSID is a Software Composition Analysis tool that scans your code for open source licenses and vulnerabilities, and gives you full transparency and control of your software products and services.
Location	Website: https://fossid.com/
Installation instructions	Contact FOSSID
How to use	Contact FOSSID
versions supported:	SPDX 2.1, SPDX 2.2

Hub-SPDX (Black Duck Hub Report Utility)

Company Contact	Synopsys
SPDX Support	Produce(Analyze)
Functionality	Download a report in SPDX format from Black Duck Hub
Location	Website: https://github.com/blackducksoftware/bd_export_spdx2.2
Installation instructions	https://github.com/blackducksoftware/bd_export_spdx2.2#installation
How to Use	https://github.com/blackducksoftware/bd_export_spdx2.2#usage
versions supported:	SPDX 2.1, SPDX 2.2

MedScan

Company	Medsec
Product	MedScan
Support	Consume
Functionality	Consumes SBOM’s for helping hospitals manage medical device assets
Location	Website: https://medsec.com/medscan.html
Installation instructions	Virtualized appliance inside hospital, Webportal for user, Contact MedSec for demo
How to use	To import:Locate the device profile relevant to the SBOM, and select ‘add SBOM’ To export: locate the device profile desired and select ‘Download SBOM’
Version supported	Contact MedScan

Software Assurance Guardian Point Man (SAG-PM)

Company Contact	Reliable Energy Analytics LLC
SPDX Support	Consume(Import)
Functionality	Processes spdx SBOM’s as part of a seven step software supply chain risk assessment
Location	https://reliableenergyanalytics.com/products
Installation instructions	Contained in Company provided Documentation
How to use	Sag comprehensive {software install pkg} {Evidence output loc}
versions supported:	SPDX 2.2 in .spdx format

SourceAuditor

Company Contact	SourceAuditor
SPDX Support	Produce(Analyze), Consume(View), Consume(Diff, Consume(Import), Transformation(Translate)
Functionality	Supports SPDX document exports for full audit analysis of source and binaries. Supports consuming SPDX documents for incremental code audits.
Location	Website: https://sourceauditor.com/compliance/
Installation instructions	Contact gary@sourceauditor.com
How to use	Primarily used by consultants to generate SPDX documents for source code analysis and audits.
versions supported:	SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3(WIP)

TrustSource

Company Contact	TrustSource
SPDX Support	Produce(Analyze),
Functionality	Contact TrustSource
Location	Website: https://www.trustsource.io/en/trustsource-home/
Installation instructions	Contact TrustSource
How to use	Primarily used by consultants to generate SPDX documents for source code analysis and audits.
versions supported:	SPDX 2.1(WIP), ?

Vigilant-ops

Company	Vigilant Ops
Product	InSight Platform
SPDX Support	Produce(Analyze), Consume (View), Transform (Translate), Transform(Tool Support)
Functionality	Vigilant Ops InSight is a cloud-based platform utilized by both Medical Device Manufacturers (MDM) and Healthcare Delivery Organizations (HDO). MDMs use the platform for generating, maintaining, and securely sharing medical device Cybersecurity Bill of Materials (CBOM) with HDOs. The InSight platform leverages advanced technology, artificial intelligence, and machine learning algorithms to continuously monitor public data sources for component vulnerability updates.
Location	Website: https://vigilant-ops.com/
Installation instructions	Web based platform. Visit https://vigilant-ops.com/ to request a demo OR email info@vigilant-ops.com
How to use	To Import: Import of SPDX not currently supported. To Export: Medical Device Manufacturers (MDM) can generate a CBOM in Vigilant Ops encrypted format using the CBOM Generator. This CBOM can then be uploaded to the web based InSight MDM application using the “Upload CBOM” option. The CBOM can then be exported in SPDX format using the “Export” menu option in the MDM application.
Version supported	SPDX 2.1

Vigiles

Company	Timesys
Product	Vigiles
SPDX Support	Produce (Build), Consume (View), Consume (Diff), Transform (Tool support)
Functionality	Vigiles is a Software Composition Analysis (SCA) tool that generates and analyzes Software Bill of Materials (SBOM) for publicly known cybersecurity vulnerabilities. In addition, Vigiles provides a complete vulnerability lifecycle management tool: discovery, prioritization, triaging, remediation, compliance and on-going monitoring/alerts.
Location	Website: https://timesys.com/vigiles
Installation instructions	Web based tool, register for a free account (https://timesys.com/solutions/vigiles-vulnerability-management/register/)
How to Use	https://linuxlink.timesys.com/docs/vigiles-vulnerability-monitoring-and-management-user-guide#SPDX-SBO
Version supported	SPDX 2.2