Draft:CycloneDX

  1. Home
  2. Wiki
CycloneDX
Filename extension.json, .xml
Internet media typeapplication/vnd.cyclonedx+json, application/vnd.cyclonedx+xml
Developed byOWASP Foundation, Ecma International
Initial releaseMarch 2018; 7 years ago (2018-03)
Latest release
1.7
October 2025; 2 months ago (2025-10)
Type of formatBill of materials
Extended fromJSON, XML, Protocol Buffers
StandardECMA-424 (2nd Edition)
Open format?Yes
Free format?Yes
Websitecyclonedx.org

CycloneDX is an open standard for software and system transparency that provides a machine-readable format for exchanging information about software components, services, vulnerabilities, cryptographic assets, and other supply chain data.[1] It is a flagship project of the OWASP Foundation and has been ratified as an Ecma International standard (ECMA-424).[2]

CycloneDX is a bill of materials standard capable of representing software, hardware, services, cryptography, and other types of inventory.[3][4] Among its capabilities, it supports software bill of materials (SBOM), cryptographic bill of materials (CBOM), vulnerability disclosure, and security attestations. CycloneDX is one of the SBOM formats recognised by the National Telecommunications and Information Administration (NTIA) as an acceptable standard for federal software procurement under Executive Order 14028.[5] The National Institute of Standards and Technology (NIST) has recommended CycloneDX as the basis for cryptographic bill of materials (CBOM) in its post-quantum cryptography migration guidance.[6] Several national cybersecurity agencies have recommended CycloneDX for vulnerability management, including the Netherlands National Cyber Security Centre (NCSC-NL),[7] the Cyber Security Agency of Singapore,[8] and the Indian Computer Emergency Response Team (CERT-In).[9]

History

[edit]

CycloneDX was designed in 2017 for use with OWASP Dependency-Track, an open-source component analysis platform that identifies risk in the software supply chain.[10] The initial prototype emerged from the Dependency-Track project, and the primary use cases CycloneDX was designed to solve were vulnerability identification, licence compliance, and outdated component analysis.[10] Unlike earlier standards that evolved from licensing and intellectual property compliance use cases, CycloneDX was designed for application security contexts and supply chain component analysis.[11]

CycloneDX specification versions
Version Release Key features
1.0 March 2018 Initial release supporting software and hardware components; introduced Package URL (PURL) identifier[12]
1.1 March 2019 Component pedigree for describing lineage including commits, patches, and modifications[12]
1.2 May 2020 SWID (ISO/IEC 19770-2:2015) support, services inventory, data classifications[12]
1.3 May 2021 Composition completeness declarations addressing NTIA's "known unknowns" concept[12]
1.4 January 2022 Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosure Reports (VDR)[13]
1.5 June 2023 Machine Learning Bill of Materials (ML-BOM), Manufacturing Bill of Materials (MBOM), formulation[11][14]
1.6 April 2024 Cryptographic bill of materials (CBOM) for post-quantum cryptography readiness; attestation capabilities; ratified as ECMA-424 (1st Edition)[15][16]
1.7 October 2025 Citations and patents support; expanded cryptographic assurance; ratified as ECMA-424 (2nd Edition)[12][17]

In December 2023, Ecma International established Technical Committee 54 (TC54) for Software and System Transparency, chartered to standardise the CycloneDX specification and related standards.[18][4]

Adoption

[edit]

The CycloneDX Tool Center lists 266 tools and solutions that support the CycloneDX standard as of December 2025, including open-source utilities, commercial platforms, and integrations across multiple programming languages and package managers.[19] Industry analysts have noted that CycloneDX was designed from the onset to be a BOM format capable of meeting a variety of use cases, and that it supports use cases beyond software including hardware, services, and SaaS.[20] TechTarget has described CycloneDX as ideal for organisations focused on identifying and tracking vulnerabilities, noting its support for multiple data formats including XML, JSON, and protocol buffers.[21]

In October 2023, IBM contributed two open-source supply chain tools, SBOM Utility and License Scanner, to the CycloneDX project, enhancing its capabilities for bill of materials validation and software licence analysis.[22] Dark Reading reported that CycloneDX is one of two primary SBOM standards and described it as a more lightweight standard suited to those seeking a machine-readable way to exchange information.[22]

As of December 2025, Maven Central hosts over 122,000 CycloneDX BOMs, reflecting widespread adoption within the Java ecosystem.[23]

A 2024 landscape study of SBOM tools conducted by researchers at Rochester Institute of Technology analysed 84 open-source and proprietary tools, identifying emerging use cases for SBOM technology including software supply chain security, vulnerability management, and compliance verification.[24]

Interoperability research

[edit]

In 2024, the Software Engineering Institute at Carnegie Mellon University conducted the SBOM Harmonization Plugfest, sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), to investigate variations in SBOM outputs across different generation tools.[25] The study collected 243 SBOMs from 21 participants and found significant variance in both the number of components and the content of minimum required elements across submissions.[26] The researchers noted that CycloneDX v1.6 has been ratified as an Ecma International standard and may be used as a global xBOM standard across multiple domains including software, services, hardware, firmware, artificial intelligence, machine learning, and cryptography.[25]

Capabilities

[edit]

CycloneDX supports the following use cases:[27]

Bill of materials

[edit]

CycloneDX supports multiple bill of materials types:

  • Software Bill of Materials (SBOM): Inventory of software components and services with dependency relationships
  • Software-as-a-Service Bill of Materials (SaaSBOM): Inventory of services, endpoints, data flows, and classifications for cloud-native applications
  • Hardware Bill of Materials (HBOM): Components for consumer electronics, IoT, ICS, and embedded devices
  • Machine Learning Bill of Materials (ML-BOM): Inventory of machine learning models and datasets
  • Cryptography Bill of Materials (CBOM): Cryptographic assets and dependencies for quantum-safe migration planning
  • Operations Bill of Materials (OBOM): Runtime environments, configurations, and operational dependencies
  • Manufacturing Bill of Materials (MBOM): Formulation describing how products are made, tested, and deployed

CycloneDX supports provenance, pedigree, and digital signatures, which represent robust supply chain capabilities recommended by guidance such as NIST's Cybersecurity Supply Chain Risk Management (C-SCRM).[20]

Academic researchers have noted that CycloneDX's design makes it well-suited for automation. A taxonomy study observed that while SPDX may be considered a good choice for human-readable format, CycloneDX's format specification makes it an excellent automation target, enabling code to be written that makes it easy for machines to process.[28]

Cryptographic bill of materials

[edit]

The Cryptographic Bill of Materials (CBOM) capability was developed by researchers and software engineers at IBM Research and contributed to the CycloneDX specification in version 1.6.[29] CBOM provides a structured framework for inventorying cryptographic assets, facilitating the identification of weak cryptographic algorithms and compliance with policies such as CNSA 2.0.[29]

IBM Research presented the CBOM standardisation effort at the ETSI/IQC Quantum Safe Cryptography Conference in 2024, describing CBOM as the first open standard for describing an organisation's cryptographic assets inventory and their dependencies.[30] In June 2025, IBM donated its CBOM toolset, including CBOMkit, to the Linux Foundation to support broader adoption of the standard.[31]

Vulnerability disclosure

[edit]

CycloneDX supports two approaches to vulnerability information sharing:[32]

  • Vulnerability Disclosure Report (VDR): A complete inventory of known and previously unknown vulnerabilities affecting both first-party and third-party components in a product, typically generated through security testing and automated analysis
  • Vulnerability Exploitability eXchange (VEX): A companion document for known vulnerabilities in third-party components that allows suppliers to communicate whether a vulnerability actually affects their product in its specific usage context

Attestations

[edit]

CycloneDX version 1.6 introduced attestation capabilities, enabling organisations to make verifiable claims about their software development practices, security controls, and compliance with standards such as the NIST Cybersecurity Framework or Secure Software Development Framework (SSDF).[15]

Formulation

[edit]

The formulation capability documents how software was made, including the build environment, tools, parameters, and processes used during creation.[11]

Regulatory recognition

[edit]

Germany

[edit]

The German Federal Office for Information Security (BSI) published Technical Guideline TR-03183 to support manufacturers in meeting the software transparency requirements of the EU Cyber Resilience Act.[33] Part 2 of the guideline, "Software Bill of Materials (SBOM)", specifies CycloneDX version 1.6 or later as one of the acceptable formats for creating machine-readable SBOMs.[34]

Data field mapping

[edit]

BSI TR-03183-2 version 2.1.0 includes comprehensive mapping tables showing how each required data field corresponds to specific JSON paths in CycloneDX documents.[34] The guideline provides detailed JSON examples demonstrating how to implement each required data field in CycloneDX format, covering the complete range of SBOM content requirements including creator information, component identification, dependency relationships, and licence declarations.[34]

For data fields not natively supported by the CycloneDX specification, the BSI guideline specifies that "the respective data fields are represented by BSI's taxonomy as key-value" pairs using the registered CycloneDX property namespace.[34] This approach enables manufacturers to include all required information while maintaining compatibility with standard CycloneDX validators and tooling.

The Cyber Resilience Act came into force in December 2024, with transitional periods running until full implementation on 11 December 2027.[33]

India

[edit]

In July 2025, the Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology, published comprehensive technical guidelines covering five types of bill of materials: SBOM, Quantum BOM (QBOM), Cryptographic BOM (CBOM), Artificial Intelligence BOM (AIBOM), and Hardware BOM (HBOM).[9] The guidelines apply to government departments, public sector organisations, essential services organisations, and organisations involved in software exports.[9]

The CERT-In guidelines identify CycloneDX as one of the recommended formats for generating SBOMs supplied to government and public sector organisations.[35] CycloneDX is also identified as one of the recognised industry-standard formats for cryptographic and quantum bill of materials, supporting post-quantum cryptography migration planning.[36] The guidelines additionally recommend CycloneDX for AI bill of materials and hardware bill of materials.[37][38]

Netherlands

[edit]

In January 2021, the Netherlands National Cyber Security Centre (NCSC-NL) published a 26-page report commissioned from Capgemini titled "Using the Software Bill of Materials for Enhancing Cybersecurity".[7] The report concluded that from a digitisation and automation perspective, CycloneDX is the format of choice for producing machine-readable SBOMs, noting that CycloneDX contains a vulnerability schema extension to hold URL references to CVE entries.[7]

The report analysed SBOM use cases across four perspectives: producing software products, choosing software products, operating software products, and SecDevOps automation. It found that CycloneDX's support for Common Platform Enumeration (CPE), Software Identification Tags (SWID per ISO/IEC 19770-2:2015), and Package URL (PURL) identifiers enables accurate component identification across all four use cases, facilitating automated CVE correlation.[7]

The NCSC-NL report noted that CycloneDX defines the required set of data attributes for vulnerability identification use cases and supports both XML and JSON layout formats.[7] It described CycloneDX as a community-maintained open standard that is actively developed, ensuring long-term support and usability.[7]

Singapore

[edit]

In 2024, the Cyber Security Agency of Singapore (CSA) published a joint advisory with OWASP on implementing SBOMs for vulnerability management.[8] The advisory recommends CycloneDX as one of the acceptable formats for generating SBOMs, stating that organisations should "generate and sign SBOM" using CycloneDX to ensure integrity and authenticity.[8]

The Singapore advisory outlines a three-step approach: selecting appropriate SBOM generation tools, generating and cryptographically signing SBOMs in CycloneDX format, and implementing proactive vulnerability management through continuous monitoring.[8] The document emphasises that integrating SBOMs into continuous integration and continuous deployment (CI/CD) pipelines "allows real-time monitoring of new vulnerabilities through automation".[8]

The advisory references the Log4Shell and Heartbleed vulnerabilities as examples of incidents that demonstrated the critical need for visibility into software components, noting that organisations with comprehensive SBOMs were able to respond more quickly to these supply chain security events.[8]

United States

[edit]

Executive Order 14028, signed in May 2021, directed federal agencies to enhance software supply chain security and identified machine-readable SBOMs as a key requirement.[1] The NTIA subsequently published guidance identifying CycloneDX as one of the acceptable formats for federal software procurement.[5]

NIST post-quantum cryptography guidance

[edit]

In December 2023, the NIST National Cybersecurity Center of Excellence (NCCoE) published SP 1800-38B, a practice guide addressing migration to post-quantum cryptography.[6] The document explicitly recommends CycloneDX for cryptographic bill of materials (CBOM), stating that CBOM "extends an SBOM by defining an object model to describe cryptographic assets and their dependencies".[6]

The NIST guidance states that "readers of this document are encouraged to reference the CycloneDX Bill of Materials specification, as it provided the basis for the CBOM structure".[6] The document provides complete JSON examples demonstrating CycloneDX CBOM format for inventorying cryptographic assets including algorithms, certificates, keys, and related dependencies.[6]

The practice guide addresses the threat posed by cryptographically relevant quantum computers (CRQC) to public-key cryptographic algorithms including RSA, DSA, ECDSA, ECDH, and EdDSA.[6] It recommends using CycloneDX CBOMs to inventory quantum-vulnerable assets and prioritise their replacement with algorithms specified in FIPS 203, FIPS 204, and FIPS 205.[6]

Governance

[edit]

CycloneDX operates under a community development model with governance shared between the OWASP Foundation and Ecma International's Technical Committee 54 (TC54).[18][4] The CycloneDX Core Working Group manages the specification, with additional Feature Working Groups addressing specific capabilities.[27]

The specification is published under a royalty-free patent policy, and the reference schemas are available under the Apache License 2.0.[27]

See also

[edit]

References

[edit]
  1. ^ a b "Software Security in Supply Chains: Software Bill of Materials (SBOM)". National Institute of Standards and Technology. Retrieved 2025-12-10.
  2. ^ "Ecma new standard ECMA-424 on CycloneDX Bill of Materials". Ecma International. Retrieved 2025-12-10.
  3. ^ "CycloneDX Bill of Materials Specification". Ecma TC54. Retrieved 2025-12-10.
  4. ^ a b c "TC54 - Software and System Transparency". Ecma International. Retrieved 2025-12-11.
  5. ^ a b "Software Bill of Materials Elements and Considerations". Federal Register. 2 June 2021. Retrieved 2025-12-10.
  6. ^ a b c d e f g Migration to Post-Quantum Cryptography: Quantum Readiness: Cryptographic Discovery (PDF) (Report). National Institute of Standards and Technology. December 2023. Retrieved 2025-12-11.
  7. ^ a b c d e f Using the Software Bill of Materials for Enhancing Cybersecurity (Report). National Cyber Security Centre (Netherlands). January 2021. Retrieved 2025-12-11.
  8. ^ a b c d e f Advisory on Implementation of Software Bill of Materials for Vulnerability Management (Report). Cyber Security Agency of Singapore. 2024. Retrieved 2025-12-11.
  9. ^ a b c Technical Guidelines on SBOM, QBOM & CBOM, AIBOM and HBOM (PDF) (Report). Indian Computer Emergency Response Team. 9 July 2025. Retrieved 2025-12-11.
  10. ^ a b DJ Schleen (April 2023). "The CycloneDX SBOM Format" (Podcast). daBOM. Retrieved 2025-12-11.
  11. ^ a b c "CycloneDX 1.5: The next big step for SBOMs and software transparency". ReversingLabs. June 2023. Retrieved 2025-12-10.
  12. ^ a b c d e "CycloneDX Specification Releases". CycloneDX. Retrieved 2025-12-11 – via GitHub.
  13. ^ Garcia Veytia, Adolfo (14 March 2023). "VEX: Standardization for a Vulnerability Exploit Data Exchange Format". The New Stack. Retrieved 2025-12-11.
  14. ^ "Leading SBOM Standard CycloneDX Now Incorporates Machine Learning". Cloud Wars. 6 September 2023. Retrieved 2025-12-11.
  15. ^ a b "OWASP looks to future-proof software bills of materials with CycloneDX 1.6". ReversingLabs. April 2024. Retrieved 2025-12-11.
  16. ^ "ECMA-424". Ecma International. Retrieved 2025-12-10.
  17. ^ "ECMA-424 2nd Edition". Ecma International. 10 December 2025. Retrieved 2025-12-10.
  18. ^ a b "Ecma Technical Committee 54". Ecma International. Retrieved 2025-12-10.
  19. ^ "CycloneDX Tool Center". CycloneDX. Retrieved 2025-12-13.
  20. ^ a b Hughes, Chris (8 August 2022). "SBOM formats SPDX and CycloneDX compared". CSO Online. Retrieved 2025-12-13.
  21. ^ "SBOM formats compared: CycloneDX vs. SPDX vs. SWID Tags". TechTarget. Retrieved 2025-12-13.
  22. ^ a b Schwartz, Jeffrey (17 October 2023). "IBM Contributes Supply Chain Security Tools to OWASP". Dark Reading. Retrieved 2025-12-13.
  23. ^ "Maven Central Repository Search: CycloneDX". Sonatype. Retrieved 2025-12-13.
  24. ^ Mirakhorli, Mehdi; Garcia, Derek; Dillon, Schuyler; Laporte, Kevin; Morrison, Matthew; Lu, Henry; Koscinski, Viktoria; Enoch, Christopher (17 February 2024). "A Landscape Study of Open Source and Proprietary Tools for Software Bill of Materials (SBOM)". arXiv:2402.11151 [cs.SE].
  25. ^ a b Software Bill of Materials (SBOM) Harmonization Plugfest 2024 (PDF) (Report). Software Engineering Institute, Carnegie Mellon University. July 2025. CMU/SEI-2025-SR-002. Retrieved 2025-12-13.
  26. ^ "Study Finds Key Causes of Divergence in Software Bills of Materials". Software Engineering Institute. 11 August 2025. Retrieved 2025-12-13.
  27. ^ a b c "CycloneDX Specification". CycloneDX. Retrieved 2025-12-11 – via GitHub.
  28. ^ Verma Sehgal, Vandana; Ambili, P S (2024). "A Taxonomy and Survey of Software Bill of Materials (SBOM) Generation Approaches". Proceedings of the International Conference on Data Science, Machine Learning and Artificial Intelligence. Springer. Retrieved 2025-12-13.
  29. ^ a b "CycloneDX v1.6 Released, Advances Software Supply Chain Security with Cryptographic Bill of Materials and Attestations". OWASP Foundation. 9 April 2024. Retrieved 2025-12-13.
  30. ^ Hess, Basil; Koertge, Nicklas (14 May 2024). "Standardization of Cryptography Bill of Materials in OWASP CycloneDX". ETSI/IQC Quantum Safe Cryptography Conference 2024. IBM Research. Retrieved 2025-12-13.
  31. ^ "IBM is donating its CBOM toolset to the Linux Foundation". IBM Research. 24 June 2025. Retrieved 2025-12-13.
  32. ^ "VDR, VEX, OpenVEX and CSAF". Open Source Security Foundation. 7 September 2023. Retrieved 2025-12-11.
  33. ^ a b "Technical Guideline TR-03183 Cyber Resilience Requirements for Manufacturers and Products". German Federal Office for Information Security. Retrieved 2025-12-10.
  34. ^ a b c d "BSI TR-03183-2: Software Bill of Materials (SBOM)". German Federal Office for Information Security. Retrieved 2025-12-10.
  35. ^ "7.1.5". Technical Guidelines on SBOM, QBOM & CBOM, AIBOM and HBOM (PDF) (Report). Indian Computer Emergency Response Team. 9 July 2025. p. 38. Retrieved 2025-12-11.
  36. ^ "8.4.1.5". Technical Guidelines on SBOM, QBOM & CBOM, AIBOM and HBOM (PDF) (Report). Indian Computer Emergency Response Team. 9 July 2025. p. 48. Retrieved 2025-12-11.
  37. ^ "9.4.2.2". Technical Guidelines on SBOM, QBOM & CBOM, AIBOM and HBOM (PDF) (Report). Indian Computer Emergency Response Team. 9 July 2025. p. 58. Retrieved 2025-12-11.
  38. ^ "10.4.1.6". Technical Guidelines on SBOM, QBOM & CBOM, AIBOM and HBOM (PDF) (Report). Indian Computer Emergency Response Team. 9 July 2025. pp. 62–63. Retrieved 2025-12-11.
[edit]

{{OWASP}}

Part of a series on
Software development
Core activities
Paradigms and models
Methodologies and frameworks
Supporting disciplines
Practices
Tools
Standards and bodies of knowledge
Glossaries
Outlines

Category:Computer file formats Category:Computer security standards Category:Data serialization formats Category:Ecma standards Category:Free software Category:Open formats Category:Post-quantum cryptography Category:Software development process Category:Supply chain management