CycloneDX was designed in 2017 for use with OWASP Dependency-Track. An open-source Component Analysis platform that identifies risk in the software supply chain. The primary use-cases CycloneDX was designed to solve were vulnerability identification, license compliance, and outdated component analysis. Additional capabilities were added in subsequent releases of the specification.
The value of a full-stack Bill of Materials (BOM) specification, capable of achieving real-world usecases, transcends the boundaries of a single vendor or supplier. Therefore, a dedicated open source project was founded to develop the specification, the implementations, and move the format into widespread adoption. Today, hundreds of thousands of organizations ranging from financial services, manufacturing, government, software, and security firms are producing and consuming CycloneDX SBOMs.
|CycloneDX 1.4||12 January 2022|
|CycloneDX 1.3||04 May 2021|
|CycloneDX 1.2||26 May 2020|
|CycloneDX 1.1||03 March 2019|
|CycloneDX 1.0||26 March 2018|
|Initial Prototype||01 May 2017|