Specification Overview


CycloneDX Object Model Overview

The CycloneDX object model:

BOM Metadata

BOM metadata includes the supplier, manufacturer, and the target component for which the SBOM describes. It also includes the tools used to create the SBOM.


Components describe the complete inventory of first-party and third-party components. Component identity can be represented as:

CycloneDX can represent applications, frameworks, libraries, containers, operating systems, devices, firmware, files, along with the manufacturer information, license and copyright details, and complete pedigree and provenance for every component.


Services describe external APIs that the software may call. Services describe endpoint URI’s, authentication requirements, and trust boundary traversals. The flow of data between software and services can also be described including the data classifications, and the flow direction of each type.


CycloneDX provides the ability to describe components and their dependency on other components. The dependency graph is capable of representing both direct and transitive relationships. Components that depend on services can be represented in the dependency graph and services that depend on other services can be represented as well.


Multiple extension points exist throughout the CycloneDX object model allowing fast prototyping of new capabilities and support for specialized and future use cases. The CycloneDX project maintains extensions that are beneficial to the larger community. The project encourages community participation and development of extensions that target specialized or industry-specific use cases.

Registered Media Types

The following media types are officially registered with IANA:

Media TypeFormatAssignment