Skip to content
@CycloneDX

CycloneDX SBOM Standard

CycloneDX is a modern standard for the software supply chain. SBOM, SaaSBOM, CBOM, OBOM, VEX, and more. CycloneDX is a OWASP project ratified as ECMA-424

Welcome to the CycloneDX Community

CycloneDX logo

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:

  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Machine Learning Bill of Materials (ML-BOM)
  • Cryptography Bill of Materials (CBOM)
  • Manufacturing Bill of Materials (MBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)
  • CycloneDX Attestations (CDXA)

The CycloneDX project provides standards in XML, JSON, and Protocol Buffers, as well as a large collection of official and community supported tools that create or interoperate with the standard.

The project's website has many documented use cases and examples that provide a springboard to SBOM adoption.

The project operates as a meritocracy whose guiding principles reinforce its risk-based approach to standards development. The project encourages community participation in the development of the standard and supporting tools.

Background

Modern software is assembled using third-party and open source components. They are glued together in complex and unique ways and integrated with original code to achieve the desired functionality. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.

CycloneDX was created for this purpose.

Strategic direction and maintenance of the specification is managed by the CycloneDX Core Working Group, is backed by the OWASP Foundation, and is supported by the global information security community.

Pinned Loading

  1. specification Public

    OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, an…

    XSLT 384 64

  2. cyclonedx-python Public

    CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments

    Python 273 71

  3. cyclonedx-maven-plugin Public

    Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

    Java 311 87

  4. cyclonedx-cli Public

    CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.

    C# 339 63

  5. bom-examples Public

    A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)

    193 69

  6. cyclonedx-node-module Public

    creates CycloneDX Software-Bill-of-Materials (SBOM) from node-based projects

    126 38

Repositories

Showing 10 of 60 repositories
  • cyclonedx-python Public

    CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments

    Python 273 Apache-2.0 71 16 (12 issues need help) 4 Updated Mar 7, 2025
  • cdxgen Public

    Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen

    JavaScript 645 Apache-2.0 172 352 (29 issues need help) 13 Updated Mar 6, 2025
  • cyclonedx-gomod Public

    Creates CycloneDX Software Bill of Materials (SBOM) from Go modules

    Go 145 Apache-2.0 26 23 (1 issue needs help) 5 Updated Mar 6, 2025
  • specification Public

    OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX

    XSLT 384 Apache-2.0 64 124 (5 issues need help) 16 Updated Mar 6, 2025
  • Sunshine Public

    Sunshine - SBOM visualization tool

    HTML 39 Apache-2.0 1 1 2 Updated Mar 5, 2025
  • cyclonedx-rust-cargo Public

    Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects

    Rust 120 Apache-2.0 48 28 13 Updated Mar 5, 2025
  • cyclonedx-node-yarn Public

    Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.

    JavaScript 21 Apache-2.0 6 19 (11 issues need help) 7 Updated Mar 5, 2025
  • cyclonedx-buildroot Public

    Create CycloneDX Software Bill of Materials (SBOM) for Buildroot projects

    Python 11 Apache-2.0 6 3 1 Updated Mar 4, 2025
  • cyclonedx-python-lib Public

    Python implementation of OWASP CycloneDX

    Python 77 Apache-2.0 46 19 (13 issues need help) 7 Updated Mar 3, 2025
  • cyclonedx-core-java Public

    CycloneDX SBOM Model and Utils for Creating and Validating BOMs

    Java 86 Apache-2.0 66 26 (2 issues need help) 9 Updated Mar 3, 2025