CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
The CycloneDX project provides standards in XML, JSON, and Protocol Buffers, as well as a large collection of official and community supported tools that create or interoperate with the standard.
The projects website has many documented use cases and examples that provide a springboard to SBOM adoption.
The project operates as a meritocracy whose guiding principals reinforce its risk-based approach to standards development. The project encourages community participation in the development of the standard and supporting tools.
Modern software is assembled using third-party and open source components. They are glued together in complex and unique ways and integrated with original code to achieve the desired functionality. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.
CycloneDX was created for this purpose.
Software Bill of Materials (SBOM)
National Telecommunications and Infrastructure Administration (NTIA) (United States)
Using the Software Bill of Materials for Enhancing Cybersecurity
National Cyber Security Centre (NCSC) (Netherlands)
Guidelines for Securing the Internet of Things
European Union Agency for Cybersecurity (ENISA)
OWASP Software Component Verification Standard (SCVS)
Open Web Application Security Project (OWASP)