Project History

CycloneDX was designed in 2017 for use with OWASP Dependency-Track. An open-source Component Analysis platform that identifies risk in the software supply chain. The primary use-cases CycloneDX was designed to solve were vulnerability identification, license compliance, and outdated component analysis. Additional capabilities were added in subsequent releases of the specification.

The value of a lightweight software bill-of-material specification, capable of achieving real-world usecases, transcends the boundaries of a single vendor or supplier. Therefore, a dedicated open source project, independent of OWASP, was founded to develop the specification, the implementations, and move the format into widespread adoption. Today, thousands of organizations ranging from financial services, manufacturing, government, software, and security firms are producing and consuming CycloneDX SBOMs.

Release History

VersionRelease Date
CycloneDX 1.226 May 2020
CycloneDX 1.103 March 2019
CycloneDX 1.026 March 2018
Initial Prototype01 May 2017