OWASP CycloneDX

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:

  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)

The CycloneDX project provides standards in XML, JSON, and Protocol Buffers, as well as a large collection of official and community supported tools that create or interoperate with the standard.

The projects website has many documented use cases and examples that provide a springboard to SBOM adoption.

The project operates as a meritocracy whose guiding principals reinforce its risk-based approach to standards development. The project encourages community participation in the development of the standard and supporting tools.

alt text

Background

Modern software is assembled using third-party and open source components. They are glued together in complex and unique ways and integrated with original code to achieve the desired functionality. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.

CycloneDX was created for this purpose.

Strategic direction of the specification is managed by the CycloneDX Core Working Group, is backed by the OWASP Foundation, and is supported by the global information security community.


Resources


CycloneDX Unplugged

CycloneDX Unplugged is a community showcase of commercial and open source projects that support or interoperate with the OWASP CycloneDX Software Bill of Materials (SBOM) standard. CycloneDX Unplugged is part of the CycloneDX YouTube channel.

A focus of the playlist is on the creation, consumption, analysis, conversion, and distribution of CycloneDX along with the tools and processes that serve to better operationalize SBOMs for greater transparency and cybersecurity risk reduction.

CycloneDX Unplugged honors OWASP’s mission of helping improve software security in a vendor neutral way. Requirements for inclusion are:

  • Any commercial or open source project that consumes, analyzes, produces, or distributes CycloneDX SBOMs.
  • All projects or vendors have a limit of 3 videos that will be publicly listed at any given time.
  • Videos must not exceed 15 minutes.
  • Videos must be factual and describe capabilities currently available.
  • Videos may be self-produced, or produced in collaboration with the CycloneDX Core Working Group.
  • All videos will be edited to include a standardized intro.

To participate in CycloneDX Unplugged, please send an email to the CycloneDX project leads:


Dependency-Track is developed by a worldwide team of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on Dependency-Track:

Financial Supporters

apiiro
Fortress Information Security
Kondukto

Industry Working Group Supporters

Contrast Security
IBM
Ion Channel
Lockheed Martin
Now Secure
Sonatype
Vdoo
Xperi

Visit https://cyclonedx.org/about/supporters/ for a comprehensive list of all known vendors and projects that support the CycloneDX standard.