You can edit almost every page by Creating an account. Otherwise, see the FAQ.


From EverybodyWiki Bios & Wiki

Year started2017
Latest version1.3[1]
4 May 2021
CommitteeOWASP CycloneDX Core Working Group[2]
EditorsSteve Springett (OWASP), Patrick Dwyer (OWASP)[1]
LicenseApache 2.0 Logo.png Search CycloneDX on Amazon.

CycloneDX is a Software Bill of Materials (SBOM) standard used to document open source and commercial software used in the creation, packaging, and distribution of software. The specification is defined in JSON Schema[3], XML Schema[4] and Protocol Buffers. CycloneDX focuses on being lightweight and security-focused, specifically targeting supply chain cyber security risks.[5]. The specification builds upon the work of Software Package Data Exchange (SPDX) by incorporating SPDX license ID's and expressions as well as incorporating industry standards for software identity[6] including the Package URL[7] specification, Common Platform Enumeration, and Software Identification tags (ISO/IEC 19770–2:2015).

The CycloneDX standard is capable of describing applications, containers, hardware devices, libraries, frameworks, files, firmware, operating systems, and services. The full-stack nature of the standard allows it to be leveraged as an Operations Bill of Materials (OBOM), Manufacturing Bill of Materials (MBOM), and Software-as-a-Service Bill of Materials (SaaS BOM).

CycloneDX is a flagship OWASP standards project[8].

Role in cybersecurity[edit]

CycloneDX originated from the OWASP community, and as such, is heavily focused on achieving cybersecurity use cases. The standard is recommended by multiple world governments including the National Cyber Security Centre (NCSC) in the Netherlands[9] and the U.S. National Telecommunications and Information Administration (NTIA)[10][11]. Vulnerability management is the primary use cases for software transparency allowing organizations to quickly identify if they're impacted by a vulnerability, and if so, where in their organization they are affected. CycloneDX achieves this through its use of Package URL, CPE, and other metadata that can identify software components. CycloneDX has led to commercial innovations in the software security market including the worlds first dynamic Software Bill of Materials for mobile apps[12] and the first dynamic Software Bill of Materials created from application runtime[13].

Project history[edit]

CycloneDX was designed in 2017 for the purpose of being used in systems capable of identifying risk in the software supply chain. The primary use-cases CycloneDX was designed to solve were vulnerability identification, license compliance, and outdated component analysis. Additional capabilities were added in subsequent releases of the specification.

The CycloneDX project utilizes a governance model based on the Meritocratic governance model[14]. On 1 June 2021, a vote was put forth on the CycloneDX mailing list seeking formal support to join the OWASP Foundation[15]. The vote had unanimous support and on 11 June 2021, CycloneDX officially joined the OWASP Foundation as a flagship project[16].

Release history[edit]

Version Release date
CycloneDX v1.3 04 May 2021
CycloneDX v1.2 26 May 2020
CycloneDX v1.1 03 March 2019
CycloneDX v1.0 26 March 2018
Initial prototype 01 May 2017

The CycloneDX specification, as well as the official implementations are open source and Apache 2.0 licensed.


  1. 1.0 1.1 "CycloneDX Version 1.3". OWASP. 2021-05-04. Retrieved 2021-11-06.
  2. "CycloneDX Working Groups". OWASP. Retrieved 2021-11-05.
  3. "CycloneDX JSON Reference". Retrieved 2021-11-05.
  4. "CycloneDX XML Reference". Retrieved 2021-11-05.
  5. "CycloneDX Project Goals". Retrieved 2021-11-05.
  6. "CycloneDX Specification Overview: Components". Retrieved 2021-11-05.
  7. "A minimal specification for purl". Retrieved 2021-11-05.
  8. "OWASP CycloneDX". Retrieved 2021-11-05.
  9. "Using the Software Bill of Materials for Enhancing Cybersecurity". Retrieved 2021-11-05.
  10. "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM), Second Edition" (PDF). Retrieved 2021-11-05.
  11. "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). Retrieved 2021-11-05.
  12. "NowSecure Announces the World's First Dynamic Software Bill of Materials (SBOM) for Mobile Apps". Retrieved 2021-11-05.
  13. "Contrast Security Provides Application Security Leadership and Direction for Software Supply Chain Risk in Support of White House Executive Order". Retrieved 2021-11-05.
  14. "CycloneDX Governance". Retrieved 2021-11-05.
  15. "Should CycloneDX join OWASP as a flagship OWASP project? Vote Now!". Retrieved 2021-11-05.
  16. "CycloneDX joins OWASP as a flagship project". Retrieved 2021-11-05.

External links[edit]

This article "CycloneDX" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:CycloneDX. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.