CycloneDX

An OWASP-maintained standard for creating software bills of materials, with support for SBOMs, VEX documents, and hardware BOMs. CycloneDX supports JSON and XML formats and is designed to be lightweight and easy to produce from CI/CD pipelines. It competes with SPDX for SBOM standardization -- in practice, most organizations pick one and stick with it.