Capabilities

CycloneDX is a modern standard for the software supply chain. Discover the many capabilities that await.

Use Cases + Examples

Explore a wide array of use cases along with corresponding examples in both XML and JSON formats.

Tool Center

Discover open source and proprietary tools and solutions that support the CycloneDX standard.

Introduction

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:
  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)
Strategic direction of the specification is managed by the CycloneDX Core Working Group, is backed by the OWASP Foundation, and is supported by the global information security community.

Latest News

OWASP Foundation Announces CycloneDX Project Momentum with Contribution from IBM to Advance Software Supply Chain Security
OWASP CycloneDX Launches SBOM Exchange API, Standardizing SBOM Distribution
OWASP Expands SBOM Capabilities, Accelerating Innovation and Supply Chain Risk Reduction
more news...

CycloneDX Supporters, Vendors, and Projects

18F
aDolus
Amass
Anchore
Apiiro
Aqua Security
Aqua Trivy
ArmorCode
Arnica
BlackBerry
Buildpacks
Bytesafe
CAST Software
Chainguard
Checkmarx
Checkov
Cisco
Cloud Native Computing Foundation
Cloudsmith
CodeNotary
Contrast Security
Cybeats
Cybellum
CyberTest
Debricked
Deepfence
Defect Dojo
DevOps KungFu Masters
Eclipse
EMBA
Endor Labs
Enso Security
Finite State
Flexera
Fortress Information Security
FOSSA
GitHub
GitLab
Google
Google
Google Ko
GraalVM
GrammaTech
Grype
gum
IBM
Intel
IonChannel
JDisc
JFrog
JupiterOne
Kondukto
Kubeclarity
Kyverno
Lagoon
LeanIX
Lockheed Martin
Manifest
Medcrypt
Medsec
Mend
MergeBase
Microfocus
NetRise
nexB
NowSecure
Open Source Review Toolkit (ORT)
OpenRewrite
Oracle
OWASP
OWASP Dependency-Track
Palo Alto Networks
Qwiet AI (Formerly ShiftLeft)
RapidFort
RedHat
Reliable Energy Analytics
Reliza
Revenera
ReversingLabs
Rezilion
RKVST
Salus
SAP
SCANOSS
Scribe Security
SecObserve
SecureStack
ServiceNow
Sigstore
Snyk
SonarSource
Sonatype
Spack
StackAware
Syft
Synopsys
Tern
Tidelift
Timesys
TrustSource
Vdoo
Veracode
VMware
Xperi
Xygeni