CycloneDX Specification
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:
- Software Bill of Materials (SBOM)
- Software-as-a-Service Bill of Materials (SaaSBOM)
- Hardware Bill of Materials (HBOM)
- Machine Learning Bill of Materials (ML-BOM)
- Manufacturing Bill of Materials (MBOM)
- Operations Bill of Materials (OBOM)
- Vulnerability Disclosure Reports (VDR)
- Vulnerability Exploitability eXchange (VEX).
Introduction
Modern software is assembled using third-party and open source components, glued together in complex and unique ways, and integrated with original code to achieve the desired functionality. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.
CycloneDX was created for this purpose.
Strategic direction and maintenance of the specification is managed by the CycloneDX Core Working Group, is backed by the OWASP Foundation, and is supported by the global information security community.
Use Cases
The CycloneDX project maintains a list of achievable use cases. Examples for each use case are provided in both XML and JSON.
Tool Center
The CycloneDX Tool Center is a community effort to establish a marketplace of free, open source, and proprietary tools and solutions that support the CycloneDX specification.
Media Types
The following media types are officially registered with IANA:
Media Type | Format | Assignment |
---|---|---|
application/vnd.cyclonedx+xml | XML | IANA |
application/vnd.cyclonedx+json | JSON | IANA |
Specific versions of CycloneDX can be specified by using the version parameter. For example: application/vnd.cyclonedx+xml; version=1.3
.
The officially supported media type for Protocol Buffer format is application/x.vnd.cyclonedx+protobuf
.
Release History
Version | Release Date |
---|---|
CycloneDX 1.5 | 26 June 2023 |
CycloneDX 1.4 | 12 January 2022 |
CycloneDX 1.3 | 04 May 2021 |
CycloneDX 1.2 | 26 May 2020 |
CycloneDX 1.1 | 03 March 2019 |
CycloneDX 1.0 | 26 March 2018 |
Initial Prototype | 01 May 2017 |
Related Work
SPDX (Software Package Data Exchange) is a specification that provides low-level details of components, including all files, hashes, authors, and copyrights. SPDX also defines over 300 open source license IDs. CycloneDX builds on top of the work SPDX has accomplished with license IDs, but varies greatly in its approach towards building a software bill of material specification.
SWID (ISO/IEC 19770-2:2015) is used primarily to identify installed software and is the preferred format of the NVD. SWID tags are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification compliments this work as CycloneDX documents can incorporate SWID tags and other high-level SWID metadata and optionally include entire SWID documents. Use of SWID tag ID's are useful in determining if a specific component has known vulnerabilities.
CPE (Common Platform Enumeration) is a specification that describes the vendor, name, and version for an application, operating system, or hardware device. CPE identifiers are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification compliments this work as CycloneDX documents can easily be used to construct exact CPE identifiers that are useful in determining if a specific component has known vulnerabilities.
Copyright & License
CycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache License 2.0