What Your SBOM Doesn't Say · 7 min
SPDX and CycloneDX round-trip on paper. In practice the same SBOM produces different vulnerability findings depending on which scanner reads it, because the two formats disagree about identity, scope, and license in ways that change what a vulnerability database can match against.