CycloneDX makes it simple to detect, triage, and report security vulnerabilities.
By utilizing identifiers such as CPE, PURL, and SWID, CycloneDX enables the detection of known vulnerabilities in components, facilitating proactive risk management.
Ideal for: General use, Use with or without Software Composition Analysis (SCA)
CycloneDX streamlines the remediation process by delivering the precise insights needed to reproduce, address, and validate vulnerabilities. This accelerates development teams' ability to implement fixes, ensuring faster resolution and minimized risk exposure.
Ideal for: Security products or products with high security requirements
Vulnerability Disclosure Reports (VDR) communicate known and previously unknown vulnerabilities affecting both first-party and third-party products and services, aligning with global standards like ISO/IEC 29147.
Ideal for: Organizations distributing clear vulnerability data to stakeholders
Vulnerability Exploitability eXchange (VEX) conveys the exploitability status of vulnerabilities within specific product contexts, helping organizations assess and mitigate risks more accurately.
Ideal for: Security products or products with high security requirements
CycloneDX fosters trust and accountability for a secure software supply chain.
CycloneDX supports the inclusion of cryptographic hashes for components, ensuring that any unauthorized modifications are detectable, thereby maintaining the integrity of the software supply chain.
Ideal for: Verifying components remain unaltered and trustworthy
Employing standards like JSON Signature Format (JSF) and XML Signature (XMLsig), CycloneDX allows for enveloped signing of SBOMs. This ensures the authenticity of the information, confirming its origin and integrity.
Ideal for: Teams requiring validation of BOM origins and integrity
Track the origin and development history of components, providing transparency into their creation and modification. This minimizes the risk of introducing untrusted or malicious elements into the supply chain.
Ideal for: Organizations tracking component sources and supply chains
Captures a component's DNA, documenting its origin, modifications, commits, diffs, enhancements, defects, and security fixes that define its unique evolution.
Ideal for: Products dependent on detailed histories of component changes