Download the cyclonedx-cli binary from the GitHub Releases page for the target platform, or install via the available package managers
Convert the SPDX JSON file to CycloneDX JSON using: cyclonedx-cli convert --input-file sbom.spdx.json --input-format spdxjson --output-file sbom-cdx.json --output-format json
Validate the resulting CycloneDX document using: cyclonedx-cli validate --input-file sbom-cdx.json --input-format json to confirm the output conforms to the CycloneDX schema
Inspect any conversion warnings printed to stderr; the CycloneDX CLI may report fields it could not map from SPDX, such as SPDX-specific relationship types or snippet information
Use cyclonedx-cli diff --from-file sbom-cdx.json --to-file sbom-cdx-v2.json to compare two SBOM versions as part of a release pipeline to detect dependency changes
Known gotchas
Converting from SPDX to CycloneDX is lossy in some cases; SPDX-specific constructs such as snippets, annotations, and certain relationship types have no direct CycloneDX equivalent and will be dropped or approximated
Package URLs (purls) may not be preserved during SPDX-to-CycloneDX conversion in all versions of cyclonedx-cli; verify that purl fields are present in the output components, as their absence breaks downstream vulnerability matching tools
The --input-format flag must exactly match the file format; passing spdxjson for a tag-value SPDX file (instead of spdx) will cause a parse error — check the file header or extension before specifying the format
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp