CycloneDX
5.2.3 CycloneDX
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. This project is one of the OWASP flagship projects.
What is CycloneDX?
CycloneDX is a widely used standard for various types of Bills of Materials. It provides an organization’s supply chain with software security risk reduction. The specification supports:
- Software Bill of Materials (SBOM)
- Software-as-a-Service Bill of Materials (SaaSBOM)
- Hardware Bill of Materials (HBOM)
- Machine-learning Bill of Materials (ML-BOM)
- Manufacturing Bill of Materials (MBOM)
- Operations Bill of Materials (OBOM)
- Bill of Vulnerabilities (BOV)
- Vulnerability Disclosure Reports (VDR)
- Vulnerability Exploitability eXchange (VEX)
- Common Release Notes format
- Syntax for Bill of Materials linkage (BOM-Link)
The CycloneDX project provides standards in XML, JSON, and Protocol Buffers. There is a large collection of official and community supported tools that consume and create CycloneDX BOMs or interoperate with the CycloneDX standard.
Why use it?
CycloneDX is a very well established standard for SBOMs and various other types of BOM. There is a huge ecosystem built around CycloneDX and it is used globally by many companies. In addition SBOMs are mandatory for many industries and various governments - at some point every organization will have to provide SBOMs for their customers and CycloneDX is an accepted standard for this.
CycloneDX also provides standards for other types of BOMs that may be required in the supply chain along with standards for release notes, responsible disclosure, etc. It is useful to use CycloneDX throughout the supply chain as it promotes interoperability between the various tools.
How to use it
The OWASP Spotlight series provides an overview of CycloneDX along with the a demonstration of using SBOMs: ‘Project 21 - OWASP CycloneDX’.
CycloneDX is an easy to understand standard that can be augmented to suit all parts of a supply chain, and there are many tools (more than 220 as of February 2024) that interoperate with CycloneDX.
The easiest way to use CycloneDX is to select tools from this list for any of the supported BOM types, with both proprietary/commercial and open source tools included in the list. A common example is for a customer to request that an SBOM is provided for a web application, and various tools can be chosen that are able to export the SBOM in various formats.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage