CycloneDX is designed to provide advanced supply chain capabilities for cyber risk reduction.

Compatible with over 200 tools across 20+ programming languages, CycloneDX is trusted by Lockheed Martin, ServiceNow, IBM, Contrast Security, Sonatype, and many others.

CycloneDX is authorized for use by medical device manufacturers.

Consumers can trust that their medical devices are manufactured securely, thanks to CycloneDX Hardware Bill of Materials (HBOM) and Software Bill of Materials (SBOM).

CycloneDX is the standard for multiple world governments and the defense industrial base.

Trusted for satellite and space systems, missile guidance systems, and algorithmic warfare, CycloneDX plays a small part in safeguarding national defense.

CycloneDX is enterprise ready and surfaces risk for IT and OT assets.

CycloneDX is trusted by leading CMDB vendors to detect security issues in hardware, software, services, and operations.

CycloneDX offers the most advanced license support of any SBOM format.

CycloneDX can leverage SPDX license IDs and expressions, along with comprehensive commercial license support, supporting open source license compliance and Software Asset Management (SAM) use cases.

CycloneDX evolves with your project or organizational needs.

Trusted by beginners and experts, CycloneDX offers an easy on-ramp to adoption and the world's most extensive collection of tools to get started.

CycloneDX is supported by technology leaders across the world.

The OWASP Foundation maintains CycloneDX and other flagship products with help from the Ecma International Technical Committee for Software & System Transparency (TC54), which includes representatives from ServiceNow, OWASP, IBM, and Bloomberg.

Getting Started

Capabilities

CycloneDX is a modern standard for the software supply chain. Discover the many capabilities that await.

Use Cases

Explore a wide array of use cases along with corresponding examples in both XML and JSON formats.

Tool Center

Discover open source and proprietary tools and solutions that support the CycloneDX standard.

Guides

Explore OWASP guides for first-time use. Learn how others integrated CycloneDX into existing projects.

Introduction

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:

Software Bill of Materials (SBOM)
Software-as-a-Service Bill of Materials (SaaSBOM)
Hardware Bill of Materials (HBOM)
Machine Learning Bill of Materials (ML-BOM)
Manufacturing Bill of Materials (MBOM)
Operations Bill of Materials (OBOM)
Vulnerability Disclosure Reports (VDR)
Vulnerability Exploitability eXchange (VEX)

Strategic direction of the specification is managed by the CycloneDX Core Working Group. CycloneDX is backed by the OWASP Foundation, the global information security community, and Ecma Technical Committee 54 (Software & System Transparency).

OWASP Foundation is a not-for-profit member of Ecma International and is currently pursuing international Ecma standardization of the CycloneDX specification.

Latest News

2023 Oct 12 OWASP Foundation Joins Ecma International to Drive Software Transparency and Standardization of OWASP CycloneDX

2023 Jun 26 Introducing OWASP CycloneDX v1.5 - Advanced Bill of Materials Standard Empowering Transparency, Security, and Compliance

2023 Mar 01 OWASP Foundation Announces CycloneDX Project Momentum with Contribution from IBM to Advance Software Supply Chain Security

CycloneDX Supporters, Vendors, and Projects