Right now this difference is confusing, and we hope to address it in the coming months (
issue #276,
+Brandon Lum). I'll give it a shot, though I expect further revision to make the answer more clear. Also, I'm not an expert on SBOM or SPDX so I may be partially incorrect.
First, SLSA is a larger framework for ensuring supply chain integrity, meaning protection against tampering. Among other things, it requires "provenance" metadata.
SBOM and Provenance are both standards for software metadata that overlap heavily:
- Both SBOM and Provenance describe what sources and dependencies went into a piece of software.
- Provenance is primarily intended as evidence of integrity. Unlike SBOM, provenance describes how the software was built and who/what system built it, as well as requiring authenticity (signing) of the provenance itself.
- SBOM is primarily intended to enable licensing and vulnerability management. Unlike provenance, SBOM requires identification of the software (name and version ID) and the author/supplier (not necessarily what system built it).
In terms of concrete formats to express provenance and SBOM:
- SPDX, CycloneDX, and SWID are the recommended formats for satisfying SBOM.