Introduction

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:

  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)

Strategic direction of the specification is managed by the CycloneDX Core Working Group, is backed by the OWASP Foundation, and is supported by the global information security community.

CycloneDX Supporters, Vendors, and Projects

18F
Amass
Anchore
Apiiro
Aqua Security
Aqua Trivy
ArmorCode
BlackBerry
Buildpacks
Bytesafe
CAST Software
Chainguard
Checkmarx
Checkov
Cisco
Cloud Native Computing Foundation
Cloudsmith
CodeNotary
Contrast Security
Cybeats
Cybellum
CyberTest
Debricked
Deepfence
Defect Dojo
DevOps KungFu Masters
EMBA
Eclipse
Endor Labs
Enso Security
FOSSA
Finite State
Flexera
Fortress Information Security
GitLab
Google
Google
Google Ko
GraalVM
GrammaTech
Grype
IBM
Intel
IonChannel
JDisc
JFrog
JupiterOne
Kondukto
Kubeclarity
Kyverno
Lagoon
LeanIX
Lockheed Martin
Manifest
Medcrypt
Medsec
Mend
MergeBase
Microfocus
NetRise
NowSecure
OWASP
OWASP Dependency-Track
Open Source Review Toolkit (ORT)
OpenRewrite
Oracle
Palo Alto Networks
RKVST
RapidFort
RedHat
Reliable Energy Analytics
Reliza
Revenera
ReversingLabs
Rezilion
SAP
SCANOSS
Salus
Scribe Security
SecureStack
ServiceNow
ShiftLeft
Sigstore
Snyk
SonarSource
Sonatype
Spack
StackAware
Syft
Synopsys
Tern
Tidelift
TrustSource
VMware
Vdoo
Veracode
Xperi
gum
nexB