Commercial (Proprietary) Tools

Company Contact

Synopsys

SPDX Support

Produce, Import, Analyze

Functionality

Identify application dependencies, and export SPDX SBOM. Import SPDX documents. Analyze dependencies listed in SPDX documents. 

Location

Website – https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html

Installation Instructions

https://sig-product-docs.synopsys.com/category/bd-subtiles

How to Use

https://www.synopsys.com/blogs/software-security/building-sbom-with-black-duck/

Versions Supported

2.2 and 2.3. Support for v3.0 in progress

Company Contact

BlackBerry Limited

SPDX Support

Produce (Analyze)

Functionality

BlackBerry Jarvis is a cloud based SCA and SAST tool for analyzing binary software images. It produces SBOM documents in SPDX format.

Location

https://blackberry.qnx.com/en/products/security/blackberry-jarvis

Installation Instructions

Cloud based platform. Contact BlackBerry for a trial or demo.

How to Use

Upload a binary software image using the Web interface or API.

Select “Download SPDX Report” in the scan results.

Versions Supported

SPDX 2.2

Company Contact

Cybeats Technologies Inc.

SPDX Support

Produce(Analyze), Consume(Import), Transform(Translate), Transform(Merge)

Additional Support

Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)

Functionality

Cybeats SBOM Studio is a cybersecurity software inventory analysis platform. It is built for the pre-market stages of IoT firmware development and helps device makers with mapping, management and design, and enrichment for IoT device’s firmware. Cybeats SBOM Studio generates SBOMs with the runtime data information for more precise identification of vulnerabilities and exploits abilities. The solution models and translates the data into enriched SBOMs. SBOM Studio exports and imports SPDX/CycloneDX formats and enriches the model with vulnerability and context based exploitability data providing visibility into threat modeling and threat intelligence angle of the device.

Location

Website: https://cybeats.com

Installation Instructions

Contact info@cybeats.com for demo

How to Use

Analyze: (Linux) Agent operating on device can scan and inventory system content and information

Import: Model your solution in SBOM Studio and import source and binary SBOM files in SPDX or CycloneDX formats.

Export: Export and share security signed SBOMS in SPDX and CycloneDX formats.

Versions Supported

SPDX 2.2

Company Contact

MediSAO

SPDX Support

Produce(Analyze), Consume(Import), Transform(Translate)

Functionality

CyberProtek is an SBOM generation and translation tool for IoT that scans code metadata to create SBOMs, translates between SWID/SPDX/CycloneDx and manages vulnerabilities.

Location

Website: https://cyberprotek.com

Installation Instructions

Entirely web based. Contact MedISAO for demo.

How to Use

To import: Upload or paste SBOM into Import tab, or use supported scanning tool in development environment

To export:Download SPDX from SBOM export tab as a text file.from web portal.

Versions Supported

SPDX 2.1, SPDX 2.2

Company Contact

nexB Inc.

SPDX Support

Produce (Analyze, Edit)

Functionality

DejaCode is an enterprise-level open source compliance application, powered by ScanCode. You can generate an SPDX 2.3 SBOM from your Product definitions.

Location

Website: https://enterprise.dejacode.com/

Information: https://nexb.com/

Installation Instructions

Options include: 

• Sign up for a free evaluation
• Become a DejaCode SaaS customer
• Install DejaCode on-premises

How to Use

Define (review, approve) the details of your Product in DejaCode. Use the Share option to generate an SPDX 2.3 SBOM in .json format.

Versions Supported

SPDX 2.3

Company Contact

aDolus Technology Inc.

SPDX Support

Produce(Analyze)

Functionality

Generates SBOMs for Industrial Control System (ICS) software and analyzes the created SBOMs to detect vulnerabilities, obsolescence, and malware.

Location

Website: https://www.adolus.com/

https://fact.adolus.com/Files/Analyze

Installation Instructions

Contact aDolus for demo

How to Use

Through website, API, or local install of tool

Versions Supported

SPDX 2.2

Company Contact

Fortress

SPDX Support

Produce (Analyze), Consume (Import, View, Diff), Transform (Translate)

Functionality

FIA can create SBOMs from binary or archive, consume externally provided SBOMs, enrich SBOMs with Fortress risk analysis, compare SBOM versions, and track components to support continuous monitoring.

Location

https://www.fortressinfosec.com/sbom

Installation Instructions

SaaS based application. Contact Fortress for a trial or demo.

How to Use

User guide: https://docs.fortressinfosec.com/docs/sbom-dashboard

Versions Supported

SPDX 2.2

Company Contact

FOSSID AB

SPDX Support

Produce(Analyze), Consume(View), Consume(Diff), Consume(Import)

Functionality

FOSSID is a Software Composition Analysis tool that scans your code for open source licenses and vulnerabilities, and gives you full transparency and control of your software products and services.

Location

Website: https://fossid.com/

Installation Instructions

Contact FOSSID

How to Use

Contact FOSSID

Versions Supported

SPDX 2.1, SPDX 2.2 (WIP)

Company Contact

Manifest Cyber, Inc.

SPDX Support

Produce (Build), Produce (Analyze), Consume(Import), Consume (Diff), Consume(View), Transform(Merge), Transform (Tool Integration)

Additional Support

Enrich (Security Enrichment and Remediation), Share (Signing and Secure Sharing)

Functionality

Manifest is an enterprise solution built to solve the entire SBOM lifecycle. The platform offers SBOM generation, solicitation, management, and secure sharing of both first- and third-party SBOMs in SPDX and CycloneDX formats. Other SBOM workflows include component analysis, license investigation, vulnerability scanning, monitoring, alerting, risk reporting, fix recommendations, and remediation ticketing. Manifest also empowers users to manage VEX documents, and easily integrates with other tools via flexible APIs.

Location

Website: https://www.manifestcyber.com/

Installation Instructions

Reach out to info@manifestcyber.com for a demo and to learn more.

How to Use

Manifest offers a web-based application, open APIs, a command line interface (CLI), and flexible CI/CD pipeline integration.

Versions Supported

SPDX 2.X

Company Contact

Medsec

SPDX Support

Consume

Functionality

Consumes SBOMs for helping hospitals manage medical device assets.

Location

Website: https://medsec.com/medscan.html

Installation Instructions

Virtualized appliance inside hospital, Webportal for user, Contact MedSec for demo

How to Use

To import:Locate the device profile relevant to the SBOM, and select ‘add SBOM’

To export: locate the device profile desired and select ‘Download SBOM’

Versions Supported

Company Contact

Jitsuin Inc.

SPDX Support

Distribute

Functionality

RKVST SBOM HUB is the first place to find and fetch public or private SBOMs.

Location

https://sbom.rkvst.io

Installation Instructions

Free to access SaaS

How to Use

https://support.rkvst.com/hc/en-gb/articles/4412493236241

Versions Supported

Company Contact

Reliable Energy Analytics LLC

SPDX Support

Consume(Import)

Functionality

Processes SPDX SBOMs as part of a seven step software supply chain risk assessment

Location

Website: https://reliableenergyanalytics.com/products

Installation Instructions

Contained in Company provided Documentation

How to Use

Sag comprehensive {software install pkg}  {Evidence output loc}

Versions Supported

SPDX 2.2

Company Contact

SourceAuditor

SPDX Support

Produce(Analyze), Consume(View), Consume(Diff, Consume(Import), Transform(Translate)

Functionality

Supports SPDX document exports for full audit analysis of source and binaries.  Supports consuming SPDX documents for incremental code audits.

Location

Website: https://sourceauditor.com/compliance/

Installation Instructions

Contact gary@sourceauditor.com

How to Use

Primarily used by consultants to generate SPDX documents for source code analysis and audits.

Versions Supported

SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3

Company Contact

TrustSource

SPDX Support

Produce(Analyze)

Functionality

Location

Website: https://www.trustsource.io/en/trustsource-home/

Installation Instructions

How to Use

Primarily used by consultants to generate SPDX documents for source code analysis and audits.

Versions Supported

SPDX 2.1 (WIP)

Company Contact

Vigilant Ops

SPDX Support

Produce(Analyze), Consume(View), Transform(Translate), Transform(Tool Support)

Functionality

Vigilant Ops InSight is a cloud-based platform utilized by both Medical Device Manufacturers (MDM) and Healthcare Delivery Organizations (HDO). MDMs use the platform for generating, maintaining, and securely sharing medical device Cybersecurity Bill of Materials (CBOM) with HDOs. The InSight platform leverages advanced technology, artificial intelligence, and machine learning algorithms to continuously monitor public data sources for component vulnerability updates.

Location

Website: https://vigilant-ops.com/

Installation Instructions

Web based platform. Visit https://vigilant-ops.com/ to request a demo OR email info@vigilant-ops.com

How to Use

To Import: Import of SPDX not currently supported.

To Export: Medical Device Manufacturers (MDM) can generate a CBOM in Vigilant Ops encrypted format using the CBOM Generator. This CBOM can then be uploaded to the web based InSight MDM application using the “Upload CBOM” option. The CBOM can then be exported in SPDX format using the “Export” menu option in the MDM application.

Versions Supported

SPDX 2.1