site-library/bom.md

Here's a comparative overview of open-source SBOM tools presented in a Markdown table format:

## Open Source SBOM Tools Comparison

| Tool Name                  | Supported Formats       | Key Features                                                                 | Source Link                                                                 |
|----------------------------|-------------------------|-----------------------------------------------------------------------------|-----------------------------------------------------------------------------|
| **Syft**                   | SPDX, CycloneDX, Syft   | CLI tool for container/image analysis, supports multiple Linux distros     | [GitHub](https://github.com/anchore/syft) [6][14]                           |
| **Microsoft SBOM Tool**    | SPDX 2.2                | Enterprise-ready, Docker image support, component detection library         | [GitHub](https://github.com/microsoft/sbom-tool) [2][3][6]                  |
| **Dependency-Track**       | CycloneDX               | Vulnerability visualization, component analysis platform                    | [GitHub](https://github.com/DependencyTrack/dependency-track) [2]           |
| **CycloneDX Generator**    | CycloneDX               | Multi-language support, API server integration, dependency tree analysis    | [GitHub](https://github.com/CycloneDX/cdxgen) [6][12]                       |
| **SPDX SBOM Generator**    | SPDX                    | Supports 15+ package managers, CLI interface                                | [GitHub](https://github.com/spdx/spdx-sbom-generator) [6]                   |
| **DISTRO2SBOM**            | SPDX, CycloneDX         | Linux package detection, OS-agnostic analysis                               | [GitHub](https://github.com/ossie-git/DISTRO2SBOM) [6]                      |
| **Tern**                   | SPDX, CycloneDX, YAML   | Container layer analysis, license compliance focus                          | [GitHub](https://github.com/tern-tools/tern) [6]                            |
| **IBM SBOM Utility**       | CycloneDX, SPDX         | Validation against JSON schemas, license policy management                  | [GitHub](https://github.com/IBM/sbom-utility) [9][11]                       |

Key technical differentiators:
- **Format specialization**: Syft and cdxgen offer multi-format support[6][14][12], while Microsoft's tool focuses exclusively on SPDX[3][6]  
- **Containerization**: Syft and Tern specialize in container/image analysis[6][14]
- **Language support**: CycloneDX Generator supports 30+ programming languages[6][12]
- **Enterprise features**: IBM's utility offers schema validation and policy management[9][11], Microsoft's tool integrates with build pipelines[6]

For developers working with TypeScript ecosystems, Syft and SPDX SBOM Generator offer native npm/yarn support[6][14], while the IBM utility provides API integration capabilities[11] that could complement CI/CD pipelines.