Skip to content

Software Bill of Material (SBOM) standard designed for use in application security contexts and supply chain component analysis

License

Notifications You must be signed in to change notification settings

madpah/specification

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build Status License Website Slack Invite Group Discussion Twitter

CycloneDX Specification

CycloneDX is a lightweight Software Bill of Materials (SBOM) specification designed for use in application security contexts and supply chain component analysis.

Introduction

Modern software is assembled using third-party and open source components, glued together in complex and unique ways, and integrated with original code to achieve the desired functionality. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.

CycloneDX was created for this purpose.

Strategic direction and maintenance of the specification is managed by the CycloneDX Core working group, with origins in the OWASP community.

Use Cases

The CycloneDX project maintains a list of achievable use cases. Examples for each use case are provided in both XML and JSON.

Tool Center

The CycloneDX Tool Center is a community effort to establish a marketplace of free, open source, and proprietary tools and solutions that support the CycloneDX specification.

Media Types

The following media types are officially registered with IANA:

Media Type Format Assignment
application/vnd.cyclonedx+xml XML IANA
application/vnd.cyclonedx+json JSON IANA

Specific versions of CycloneDX can be specified by using the version parameter. i.e. application/vnd.cyclonedx+xml; version=1.3.

The officially supported media type for Protocol Buffer format is application/x.vnd.cyclonedx+protobuf.

Release History

Version Release Date
CycloneDX 1.4 12 January 2022
CycloneDX 1.3 04 May 2021
CycloneDX 1.2 26 May 2020
CycloneDX 1.1 03 March 2019
CycloneDX 1.0 26 March 2018
Initial Prototype 01 May 2017

Related Work

SPDX (Software Package Data Exchange) is a specification that provides low-level details of components, including all files, hashes, authors, and copyrights. SPDX also defines over 300 open source license IDs. CycloneDX builds on top of the work SPDX has accomplished with license IDs, but varies greatly in its approach towards building a software bill of material specification.

SWID (ISO/IEC 19770-2:2015) is used primarily to identify installed software and is the preferred format of the NVD. SWID tags are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification compliments this work as CycloneDX documents can incorporate SWID tags and other high-level SWID metadata and optionally include entire SWID documents. Use of SWID tag ID's are useful in determining if a specific component has known vulnerabilities.

CPE (Common Platform Enumeration) is a specification that describes the vendor, name, and version for an application, operating system, or hardware device. CPE identifiers are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification compliments this work as CycloneDX documents can easily be used to construct exact CPE identifiers that are useful in determining if a specific component has known vulnerabilities.

Copyright & License

CycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache License 2.0

About

Software Bill of Material (SBOM) standard designed for use in application security contexts and supply chain component analysis

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • XSLT 87.3%
  • HTML 5.2%
  • Java 4.0%
  • CSS 2.0%
  • JavaScript 0.6%
  • Shell 0.5%
  • PHP 0.4%