Skip to content

CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, ML-BOM, OBOM, MBOM, VDR, and VEX

License

Notifications You must be signed in to change notification settings

mrutkows/specification

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build Status License Website Slack Invite Group Discussion Twitter ECMA TC54

CycloneDX Bill of Materials Specification (ECMA-424)

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. CycloneDX is an Ecma International standard published as ECMA-424. The OWASP Foundation and Ecma International Technical Committee for Software & System Transparency (TC54) drive the continued advancement of the specification.

The specification supports:

  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Machine Learning Bill of Materials (ML-BOM)
  • Cryptography Bill of Materials (CBOM)
  • Manufacturing Bill of Materials (MBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)
  • CycloneDX Attestations (CDXA)

A Note on the Standard and Schemas

CycloneDX is an Ecma International standard published as ECMA-424 under a royalty-free patent policy. The CycloneDX schemas in this repository are the official interpretations of the standard and are available under the Apache 2.0 license. The JSON Schema is the reference implementation for the standard.

Use Cases

The CycloneDX project maintains a list of achievable use cases. Examples for each use case are provided in both XML and JSON.

Tool Center

The CycloneDX Tool Center is a community effort to establish a marketplace of free, open source, and proprietary tools and solutions that support the CycloneDX specification.

Media Types

The following media types are officially registered with IANA:

Media Type Format Assignment
application/vnd.cyclonedx+xml XML IANA
application/vnd.cyclonedx+json JSON IANA

Specific versions of CycloneDX can be specified by using the version parameter. For example: application/vnd.cyclonedx+xml; version=1.6.

The officially supported media type for Protocol Buffer format is application/x.vnd.cyclonedx+protobuf.

Release History

Version Release Date
CycloneDX 1.6 09 April 2024
CycloneDX 1.5 26 June 2023
CycloneDX 1.4 12 January 2022
CycloneDX 1.3 04 May 2021
CycloneDX 1.2 26 May 2020
CycloneDX 1.1 03 March 2019
CycloneDX 1.0 26 March 2018
Initial Prototype 01 May 2017

Copyright & License

CycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache License 2.0

About

CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, ML-BOM, OBOM, MBOM, VDR, and VEX

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • XSLT 83.4%
  • HTML 5.2%
  • Java 4.0%
  • JavaScript 2.2%
  • CSS 1.9%
  • PHP 1.7%
  • Shell 1.6%