CycloneDX SBOM Standard

CycloneDX SBOM Standard

cyclonedx.org

1

About this website

CycloneDX is an open-source, lightweight Software Bill of Materials (SBOM) standard designed for application security and supply chain component analysis. Created by Steve Springett and maintained by the OWASP Foundation since 2017, it is recognized by NTIA and NIST as a key SBOM format alongside SPDX, with support from over 200 tooling providers including Sonatype, Snyk, Anchore, and Dependency-Track. Key features include: JSON and XML formats (two serialization formats for representing SBOM data, with JSON optimized for APIs and XML for enterprise workflows), component types (application, framework, library, container, platform, operating system, device, firmware, file, machine-learning-model, and data), dependency graph (representing the full dependency tree including transitive dependencies, with bom-ref cross-references), vulnerability mapping (embedded VEX data for documenting whether vulnerabilities are exploitable in specific environments), external references (website, issue tracker, vcs, advisory, bom, mailing list, documentation, and distribution URLs), license declaration (SPDX license expressions, named licenses, and custom license text for precise compliance reporting), cryptographic hashes (SHA-256, SHA-512, BLAKE2b-256, and BLAKE3 for component integrity), pedigree (documenting component lineage including ancestors, descendants, variants, commits, and patches for supply chain transparency), services (describing web services, APIs, and microservices alongside software components in unified BOMs), assembly and composition (multi-BOM composition for combining component BOMs into aggregate product BOMs), specification versioning (1.2 through 1.6 with backward compatibility), and tooling (over 200 generators including syft, cdxgen, trivy, and Maven, Gradle, npm, pip, go, cargo plugins).

Tags & Categories

Categories

Tags

Statistics

1
Views
0
Clicks
0
Like
0
Dislike

Comments

Log In to post a comment

No comments yet. Be the first!