The OWASP Foundation today announced the immediate availability of CycloneDX v1.7.
CycloneDX v1.7 responds to rising demands for trust, traceability, and governance in digital systems by introducing capabilities that address cryptographic assurance, intellectual property visibility, and distribution control. The release is the result of extensive industry feedback and real-world adoption patterns.
Enhancements to Cryptography Bill of Materials (CBOM)
Modern systems rely on cryptography at every level, yet most organizations lack visibility into what cryptographic algorithms and assets are actually in use. CycloneDX v1.7 expands its CBOM capabilities to support these critical needs.
New enhancements include:
- A standardized list of cryptographic algorithm families, enabling consistent identification and classification across ecosystems
- A comprehensive list of elliptic curves, supporting audits, compliance reviews, and PQC readiness assessments
- These resources are openly available and may be used independently of CycloneDX, offering value even to those using alternative BOM formats
These additions make CBOM generation and analysis more consistent and actionable, closing key gaps in cryptographic transparency.
Citations
In complex software environments, SBOMs are rarely produced in a single step. They are often enriched across multiple tools, transformed through CI/CD pipelines, or assembled from partial data over time. Without proper attribution, tracking the origin and integrity of information becomes increasingly difficult.
CycloneDX v1.7 introduces structured citations to solve this challenge.
Citations provide a formal mechanism to declare where information came from, how it was generated, and who is responsible for it. This enables verifiable chains of provenance, ensuring that every enrichment step, external reference, or tool contribution can be traced and audited with confidence.
Intellectual Property Transparency
As software increasingly intersects with legal and regulatory frameworks, CycloneDX v1.7 introduces first-class support for patents and patent families.
This new capability allows BOMs to express not only the components in use but also the intellectual property rights and obligations that apply to them, whether for compliance tracking, risk analysis, or acquisition due diligence. It marks a key step forward in aligning SBOMs with legal and business realities.
Ecma Standardization
CycloneDX continues to advance through open, international standardization. In June 2024, CycloneDX v1.6 was ratified as ECMA-424, 1st Edition by Ecma International. CycloneDX v1.7 is expected to be ratified as ECMA-424, 2nd Edition in December 2025, continuing the specification’s alignment with formal international standards.
Quotes
CycloneDX v1.7 represents a major milestone in our mission to advance software and system transparency. It delivers practical, forward-looking solutions to real challenges, while laying a solid foundation for the API-first future we’re building with version 2.0. I’m deeply grateful to the CycloneDX working groups, Ecma Technical Committee 54, and the many contributors whose dedication and insight made this release possible.
Steve Springett, Chair, Ecma TC54 and the CycloneDX Core Working Group
New Authoritative Guides Available
To accompany the launch of CycloneDX v1.7, the community is pleased to announce the immediate availability of three new guides to help organizations make the most out of CycloneDX.
- Authoritative Guide to SBOM, Third Edition
- Authoritative Guide to CBOM, Second Edition
- Authoritative Guide to MBOM, First Edition
These comprehensive guides, available at https://cyclonedx.org/guides/, provide in-depth information about the new features in CycloneDX v1.7 and best practices for their implementation.
To learn more about OWASP CycloneDX, access the standard, and leverage the over 250 tools that support CycloneDX, visit https://cyclonedx.org/.
About the OWASP Foundation
The OWASP Foundation is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. For nearly two decades corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work. To learn more or to become a member, visit https://owasp.org.