Getting Started

Introduction

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:
  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Machine Learning Bill of Materials (ML-BOM)
  • Cryptography Bill of Materials (CBOM)
  • Manufacturing Bill of Materials (MBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)
  • CycloneDX Attestations (CDXA)
Strategic direction of the specification is managed by the CycloneDX Core Working Group. CycloneDX is backed by the OWASP Foundation, the global information security community, and Ecma International Technical Committee 54 (Software & System Transparency).

OWASP CycloneDX is an international Bill of Materials standard ratified by Ecma International as ECMA-424.

CycloneDX Supporters, Vendors, and Projects

18F
aDolus
Amass
Anchore
Apiiro
Aqua Security
Aqua Trivy
ArmorCode
Arnica
BlackBerry
Bloomberg
Buildpacks
Bytesafe
CAST Software
Chainguard
Chainloop
Checkmarx
Checkov
Cisco
Cloud Native Computing Foundation
Cloudsmith
CodeNotary
Contrast Security
Cybeats
Cybellum
CyberTest
Debricked
Deepfence
Defect Dojo
DevOps KungFu Masters
Eclipse
Ecma International
EMBA
Endor Labs
Enso Security
Finite State
Flexera
Fortress Information Security
FOSSA
GitHub
GitLab
Google
Google
Google Ko
GraalVM
GrammaTech
Grype
gum
IBM
Intel
Interlynk
IonChannel
JDisc
JFrog
JupiterOne
Kondukto
KSOC
Kubeclarity
Kyverno
Lagoon
LeanIX
Lockheed Martin
Manifest
Medcrypt
Medsec
Mend
MergeBase
Microfocus
NetRise
nexB
NowSecure
Oligo
Open Source Review Toolkit (ORT)
OpenRewrite
Oracle
OWASP
OWASP Dependency-Track
Palo Alto Networks
Qwiet AI (Formerly ShiftLeft)
RapidFort
RedHat
Reliable Energy Analytics
Reliza
Revenera
ReversingLabs
Rezilion
RKVST
Salus
SAP
sbomify
SCANOSS
Scribe Security
SecObserve
SecureStack
Semgrep
ServiceNow
Sigstore
Snyk
SonarSource
Sonatype
Spack
StackAware
Syft
Synopsys
Sysdig
Tern
Tidelift
Timesys
TrustSource
Vdoo
Veracode
VMware
Xygeni
Zed Attack Proxy (ZAP)