Quaze + SPDX

SPDX is the SBOM format most often used where the workflow originated in license compliance, procurement, or established enterprise tooling. It is a Linux Foundation project, published as ISO/IEC 5962:2021, and the format many large organizations already have flowing through their supply chain.

Quaze accepts SPDX SBOMs directly. There is no need to convert or re-emit; if your tooling already produces SPDX, that is what Quaze will ingest.

What Quaze does with the SBOM

• Stores the SBOM tagged with product, release, and environment.
• Normalizes internally so SPDX and CycloneDX inputs surface findings the same way.
• Watches the SBOM continuously against fresh vulnerability data.
• Respects fix-version metadata in upstream advisories, so a patched transitive does not generate noise.

If your team uses CycloneDX in the build pipeline and SPDX from procurement-driven tooling, both can land in Quaze side by side. Pick one as the authoritative source for vulnerability monitoring to avoid duplicate findings, but both formats are supported.

A worked example

A team produces an SPDX SBOM as part of an existing release process driven by a procurement-aligned tool. The CI release job sends the SBOM to Quaze, tagged with product=quaze-platform, release=2.4.1, environment=production-eu.

Two weeks later, a new CVE is published against library-x. Quaze evaluates the SPDX SBOM the same way it would a CycloneDX one, identifies the affected version, and routes the finding to the owning team. The format choice did not change the monitoring workflow.