CycloneDX: The International Standard for Bill of Materials (ECMA-424)

The OWASP Foundation and Ecma International Technical Committee for Software & System Transparency (TC54), which includes representatives from Bloomberg, IBM, Lockheed Martin, and ServiceNow, drive the continued advancement of the specification.

CycloneDX is designed to provide advanced supply chain capabilities for cyber risk reduction.

Compatible with over 200 tools across 20+ programming languages, CycloneDX is trusted by Lockheed Martin, ServiceNow, IBM, Contrast Security, Sonatype, and many others.

CycloneDX is authorized for use by medical device manufacturers.

Consumers can trust that their medical devices are manufactured securely, thanks to CycloneDX Hardware Bill of Materials (HBOM) and Software Bill of Materials (SBOM).

CycloneDX is the standard for multiple world governments and the defense industrial base.

Trusted for satellite and space systems, missile guidance systems, and algorithmic warfare, CycloneDX plays a small part in safeguarding national defense.

CycloneDX is enterprise ready and surfaces risk for IT and OT assets.

CycloneDX is trusted by leading CMDB vendors to detect security issues in hardware, software, services, and operations.

CycloneDX offers the most advanced license support of any SBOM format.

CycloneDX can leverage SPDX license IDs and expressions, along with comprehensive commercial license support, supporting open source license compliance and Software Asset Management (SAM) use cases.

CycloneDX evolves with your project or organizational needs.

Trusted by beginners and experts, CycloneDX offers an easy on-ramp to adoption and the world's most extensive collection of tools to get started.

Getting Started

Capabilities

CycloneDX is a modern standard for the software supply chain. Discover the many capabilities that await.

Use Cases

Explore a wide array of use cases along with corresponding examples in both XML and JSON formats.

Tool Center

Discover open source and proprietary tools and solutions that support the CycloneDX standard.

Guides

Explore OWASP guides for first-time use. Learn how others integrated CycloneDX into existing projects.

Introduction

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:

Software Bill of Materials (SBOM)
Software-as-a-Service Bill of Materials (SaaSBOM)
Hardware Bill of Materials (HBOM)
Machine Learning Bill of Materials (ML-BOM)
Cryptography Bill of Materials (CBOM)
Manufacturing Bill of Materials (MBOM)
Operations Bill of Materials (OBOM)
Vulnerability Disclosure Reports (VDR)
Vulnerability Exploitability eXchange (VEX)
CycloneDX Attestations (CDXA)

Strategic direction of the specification is managed by the CycloneDX Core Working Group. CycloneDX is backed by the OWASP Foundation, the global information security community, and Ecma International Technical Committee 54 (Software & System Transparency).

OWASP CycloneDX is an international Bill of Materials standard ratified by Ecma International as ECMA-424.

Latest News

2024 Jul 01 CycloneDX v1.6: Now an Ecma International Standard

2024 Apr 09 CycloneDX v1.6 Released, Advances Software Supply Chain Security with Cryptographic Bill of Materials and Attestations

2023 Oct 12 OWASP Foundation Joins Ecma International to Drive Software Transparency and Standardization of OWASP CycloneDX

View More

CycloneDX Supporters, Vendors, and Projects