Bill of Vulnerabilities (BOV)

 

Share vulnerability data between systems and sources of vulnerability intelligence

Software Bill of Materials
Software-as-a-Service BOM
Vulnerability Exploitability Exchange
Hardware Bill of Materials
Operations Bill of Materials
Vulnerability Disclosure Report
Javascript Object Notation
Extensible Markup Language
Protocol Buffers

CycloneDX BOMs may consist solely of vulnerabilities, thus can be used to share vulnerability data between systems and sources of vulnerability intelligence. Complex vulnerability data can be represented including:

  • Source of vulnerability intelligence
  • References to other sources of intelligence containing the same vulnerability
  • Multiple severity and/or risk ratiings
  • Complete vulnerability details and recommendations
  • Organizations and individuals credited with discovery
  • Affected software and their versions

Advisory Format

CycloneDX is also an ideal advisory format, thus providing a common standard and tool chain for BOM and advisory information. A BOV which additionally contains the analysis of the vulnerability along with a metadata reference to the component itself provides the details necessary for full-featured advisory use cases.

High-Level Object Model

CycloneDX Object Model Swimlane

Additional Capabilities

SBOM

Software Bill of Materials

Inventory software components and services and the dependency relationships between them

 

SaaSBOM

Software as a Service Bill of Materials

Inventory services, endpoints, and data flows and classifications that power cloud-native applications

 

VEX

Vulnerability Exploitability eXchange

Convey the exploitability of vulnerable components in the context of the product in which they're used

 

HBOM

Hardware Bill of Materials

Inventory hardware components for IoT, ICS, and other types of embedded and connected devices

 

OBOM

Operations Bill of Materials

Full-stack inventory of runtime environments, configurations, and additional dependencies

 

VDR

Vulnerability Disclosure Report

Communicate known and unknown vulnerabilities affecting components and services

 

BOM-Link

Bill of Materials Linkage Syntax

Reference components, services, or vulnerabilities in BOMs from other systems or other BOMs

 

BOV

Bill of Vulnerabilities

Share vulnerability data between systems and sources of vulnerability intelligence

 

Release Notes

Common Release Notes Format

Standardizes release notes unlocking new workflows for software publishers and consumers

 

CycloneDX Supporters

Apiiro
Contrast Security
Fortress Information Security
IBM
IonChannel
Kondukto
Lockheed Martin
NowSecure
OWASP
Rezilion
ServiceNow
Sonatype
Vdoo
Xperi