Skip to content
/ specification Public
forked from CycloneDX/specification

CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, ML-BOM, OBOM, MBOM, VDR, and VEX

cyclonedx.org/

License

Apache-2.0 license
0 stars 59 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tsjensen/specification

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

933 Commits
.github
.github
 
 
docgen
docgen
 
 
schema
schema
 
 
tools
tools
 
 
.gitignore
.gitignore
 
 
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Build Status License Website Slack Invite Group Discussion Twitter

CycloneDX Specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:

  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Machine Learning Bill of Materials (ML-BOM)
  • Cryptography Bill of Materials (CBOM)
  • Manufacturing Bill of Materials (MBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)
  • CycloneDX Attestations (CDXA)

Introduction

Modern software is assembled using third-party and open source components, glued together in complex and unique ways, and integrated with original code to achieve the desired functionality. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.

CycloneDX was created for this purpose.

Strategic direction and maintenance of the specification is managed by the CycloneDX Core Working Group, is backed by the OWASP Foundation, and is supported by the global information security community.

Use Cases

The CycloneDX project maintains a list of achievable use cases. Examples for each use case are provided in both XML and JSON.

Tool Center

The CycloneDX Tool Center is a community effort to establish a marketplace of free, open source, and proprietary tools and solutions that support the CycloneDX specification.

Media Types

The following media types are officially registered with IANA:

Media Type Format Assignment
application/vnd.cyclonedx+xml XML IANA
application/vnd.cyclonedx+json JSON IANA

Specific versions of CycloneDX can be specified by using the version parameter. For example: application/vnd.cyclonedx+xml; version=1.6.

The officially supported media type for Protocol Buffer format is application/x.vnd.cyclonedx+protobuf.

Release History

Version Release Date
CycloneDX 1.6 09 April 2024
CycloneDX 1.5 26 June 2023
CycloneDX 1.4 12 January 2022
CycloneDX 1.3 04 May 2021
CycloneDX 1.2 26 May 2020
CycloneDX 1.1 03 March 2019
CycloneDX 1.0 26 March 2018
Initial Prototype 01 May 2017

Copyright & License

CycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache License 2.0

About

CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, ML-BOM, OBOM, MBOM, VDR, and VEX

cyclonedx.org/

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

6 tags

Packages

No packages published

Languages

  • XSLT 83.6%
  • HTML 5.2%
  • Java 3.9%
  • JavaScript 2.2%
  • CSS 1.9%
  • PHP 1.7%
  • Shell 1.5%