Here’s a quick, concrete proposal to **lock in a stable SBOM model for Stella Ops**: use **SPDX 3.0.1** as your canonical persistence schema and **CycloneDX 1.6** as the interchange “view,” bridged by a deterministic transform.

**Why this pairing**

* **SPDX 3.0.1** gives you a rigorous, profile‑based data model (Core/Security/AI/Build, etc.) with explicit **Relationship** semantics—ideal for long‑lived storage and graph queries. ([SPDX][1])
* **CycloneDX 1.6** excels at exchange: widely adopted, supports **services/SaaSBOM**, **attestations (CDXA)**, **CBOM (crypto inventory)**, MLBOM, and more—perfect for producing portable BOMs for customers and regulators. ([CycloneDX][2])

**Target architecture (minimal)**

* **Persistence:** Store SBOMs as SPDX 3.0.1 (JSON‑LD/RDF), normalized into your Mongo event‑sourced graph; keep Relationship edges first‑class. ([SPDX][1])
* **Interchange:** On export, render CycloneDX 1.6 (JSON/XML) including `components`, `services`, `dependencies`, `vulnerabilities`, and optional CBOM/CDXA blocks. ([SBOM Observer][3])
* **Deterministic transform:** Define a static mapping table (SPDX→CycloneDX) with sorted collections, stable UUID seeds, and normalized strings to guarantee byte‑for‑byte reproducibility across offline sites.

**Quick win mapping examples**

* SPDX `Element` + `RelationshipType` → CycloneDX `dependencies` graph. ([SPDX][4])
* SPDX Security profile findings → CycloneDX `vulnerabilities` entries. ([SPDX][1])
* SPDX AI/Build profiles → CycloneDX MLBOM + CDXA attestations (build/provenance). ([SPDX][5])
* Crypto materials (keys/algos/policies) held in SPDX extensions or attributes → CycloneDX **CBOM** on export for policy checks (CNSA/NIST). ([CycloneDX][2])

**Governance & standards signal**

* SPDX 3.0.x is actively aligned with **OMG/ISO** submissions (good long‑term bet for storage). ([SPDX Lists][6])
* CycloneDX 1.6 is the current, actively enhanced interchange standard used across vendors and tooling. ([GitHub][7])

If you want, I’ll draft the exact field‑by‑field mapping table (SPDX profile → CycloneDX section), plus a small .NET 10 library skeleton for the deterministic exporter.

[1]: https://spdx.github.io/spdx-spec/v3.0.1/?utm_source=chatgpt.com "SPDX Specification 3.0.1"
[2]: https://cyclonedx.org/news/cyclonedx-v1.6-released/?utm_source=chatgpt.com "CycloneDX v1.6 Released, Advances Software Supply ..."
[3]: https://sbom.observer/academy/learn/topics/cyclonedx?utm_source=chatgpt.com "What is CycloneDX?"
[4]: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/RelationshipType/?utm_source=chatgpt.com "RelationshipType - SPDX Specification 3.0.1"
[5]: https://spdx.dev/wp-content/uploads/sites/31/2024/12/SPDX-3.0.1-1.pdf?utm_source=chatgpt.com "SPDX© Specification v3.0.1"
[6]: https://lists.spdx.org/g/Spdx-tech/topic/release_3_0_1_of_the_spdx/110308825?utm_source=chatgpt.com "Release 3.0.1 of the SPDX Specification"
[7]: https://github.com/CycloneDX/specification?utm_source=chatgpt.com "CycloneDX/specification"