CycloneDX

OWASP CycloneDX is a Bill of Materials (BOM) standard that provides supply chain capabilities for cyber risk reduction. This project is one of the OWASP flagship projects.

What is CycloneDX?

CycloneDX is a widely used standard for various types of Bills of Materials. Think of a Bill of Materials (BOM) as a list of the components in a deliverable; a real world example might be receiving a new mobile phone and the package contains:

• the mobile phone itself
• a charger cable
• various disclaimers and warranties

This itemized list can be called a Bill of Materials, and it means the consumer knows exactly what is provided.

In a similar way, CycloneDX provides software security risk reduction for an organization's supply chain by specifying what is in the (often third party) components that make up the deliverable product. The specification supports:

• Software Bill of Materials (SBOM)
• Cryptography Bill of Materials (CBOM)
• Software-as-a-Service Bill of Materials (SaaSBOM)
• Hardware Bill of Materials (HBOM)
• Machine-learning Bill of Materials (ML-BOM)
• Manufacturing Bill of Materials (MBOM)
• Operations Bill of Materials (OBOM)
• Bill of Vulnerabilities (BOV)
• Vulnerability Disclosure Reports (VDR)
• Vulnerability Exploitability eXchange (VEX)
• Common Release Notes format
• Syntax for Bill of Materials linkage (BOM-Link)

The CycloneDX project provides standards in XML, JSON, and Protocol Buffers. There is a large collection of official and community supported tools that consume and create CycloneDX BOMs or interoperate with the CycloneDX standard.

Why use it?

BOMs are useful. From answering questions such as "What cryptography are we shipping in that product?" to listing vulnerabilities in a deliverable in a consumable way along with a listing of software packages / libraries.

CycloneDX is a very well established standard for SBOMs and various other types of BOM. There is a huge ecosystem built around CycloneDX and it is used globally by many companies. In addition SBOMs are mandatory for many industries and various governments - at some point every organization will have to provide SBOMs for their customers and CycloneDX is an accepted standard for this.

CycloneDX also provides standards for other types of BOMs that may be required in the supply chain along with standards for release notes and responsible disclosure. It is useful to use CycloneDX throughout the supply chain as it promotes interoperability between the various tools.

If there is a security related list that is being generated, then chances are there is a CycloneDX BOM for that.

How to use it

The OWASP Spotlight series provides an overview of CycloneDX along with the a demonstration of using SBOMs: 'Project 21 - OWASP CycloneDX'.

CycloneDX is an easy to understand standard that can be extended to suit all parts of a supply chain, and there are many tools (more than 220 as of February 2024) that interoperate with CycloneDX.

The easiest way to use CycloneDX is to select tools from this list for any of the supported BOM types, with both proprietary/commercial and open source tools included in the list. A common example is for a customer to request that an SBOM is provided for a web application, and various tools can be chosen that are able to export the SBOM in various formats.

---

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.