OWASP CycloneDX Launches SBOM Exchange API, Standardizing SBOM Distribution

12 May 2022

OWASP CycloneDX launched a BOM Exchange API aimed at solving a critical component necessary to operationalize software bill of materials (SBOM). CycloneDX is a modern cybersecurity standard for the software supply chain supporting many types of bill of materials including software, hardware, and services. The BOM Exchange API standardizes how BOMs are published and retrieved independent of the software ecosystem.

“Much of the focus on SBOM has been around how to produce, consume, or analyze them. Very little has been discussed about how to publish and retrieve them in a format and ecosystem agnostic way” says Steve Springett, Chair of the OWASP CycloneDX Core Working Group. “With today’s announcement, we’re making it easier for software vendors and consumers to share this critical data”.

CycloneDX has created a reference implementation of the API in its BOM Repository Server, which is specifically designed to archive and distribute bill of materials. The CycloneDX BOM Repository Server helps organizations meet multiple OpenChain requirements specific to the distribution and archival of bill of materials and other compliance artifacts. OpenChain is an International Standard for open source license compliance, which CycloneDX fully supports.

“There are lots of products and tools being released which support the production and consumption of SBOMs in standard data formats, but we haven’t had a standard way to transfer SBOMs between systems” says Patrick Dwyer, co-leader of the CycloneDX standard. “With the release of this API specification, products and tools can start transferring this data in a standard way, enabling greater out-of-the-box integration across the SBOM product and tool ecosystem”.

CycloneDX is seeking community feedback on the API, currently in draft, with the intent to submit a future revision to the Internet Engineering Task Force (IETF). Community feedback is being accepted on the project’s GitHub repository.


About the OWASP Foundation

The Open Web Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. Through community-led open source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. For over two decades corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work. To learn more or to become a member, visit https://owasp.org.

OWASP and the Open Web Application Security Project are trademarks of the OWASP Foundation.

CycloneDX Supporters

Contrast Security
Ecma International
Fortress Information Security
Lockheed Martin