Skip to main content
Metadata Standards Index
Back to Standards
CycloneDX Bill of Materials Standard logo

CycloneDX Bill of Materials Standard

CycloneDX

Exchange Format Active Web & Linked DataE-Commerce & Business
By OWASP OWASP

A full-stack Bill of Materials (BOM) standard designed for advanced supply chain capabilities and cyber risk reduction. CycloneDX supports multiple BOM types including Software BOM (SBOM), Hardware BOM (HBOM), SaaS BOM (SaaSBOM), Cryptography BOM (CBOM), AI/ML BOM, and Vulnerability Exploitability Exchange (VEX). Standardized as ECMA-424 by Ecma International's TC54, and driven by the OWASP Foundation, it is compatible with over 260 tools across 20+ programming languages and is trusted by enterprises, governments, the defense industrial base, and medical device manufacturers.

Overview

CycloneDX is a full-stack Bill of Materials (BOM) standard designed for advanced supply chain capabilities and cyber risk reduction. Originally created as an OWASP project in 2017 and standardized as ECMA-424 by Ecma International, CycloneDX has become one of the two dominant SBOM formats alongside SPDX, trusted by enterprises, governments, the defense industrial base, and medical device manufacturers.

Background

CycloneDX emerged from the OWASP (Open Web Application Security Project) community to address the need for a lightweight, security-focused standard for tracking software components and their known vulnerabilities. The OWASP Foundation and Ecma International Technical Committee for Software and System Transparency (TC54) now drive the continued advancement of the specification. CycloneDX was standardized as ECMA-424, providing it with formal international recognition.

Purpose and Scope

CycloneDX provides a comprehensive standard for describing the composition and dependencies of software, hardware, services, and operations. Its BOM capabilities include:

Capability Description
SBOM Software Bill of Materials
SaaSBOM Software as a Service Bill of Materials
CBOM Cryptography Bill of Materials
VEX Vulnerability Exploitability Exchange
HBOM Hardware Bill of Materials
AI/ML-BOM AI/Machine Learning Bill of Materials

CycloneDX is designed to evolve with organizational needs, providing an easy on-ramp for beginners while supporting the complex requirements of security-critical environments.

Adoption and Trust

  • Compatible with over 260 tools across 20+ programming languages
  • Authorized for use by medical device manufacturers, ensuring devices are manufactured securely
  • Standard for multiple world governments and the defense industrial base, trusted for satellite and space systems, missile guidance systems, and algorithmic warfare
  • Trusted by leading CMDB vendors for detecting security issues in hardware, software, services, and operations
  • Offers the most advanced license support of any SBOM format, leveraging SPDX license IDs and expressions along with commercial license support

Serializations

CycloneDX supports three serialization formats:

  • XML with formal XSD schemas
  • JSON with JSON Schema definitions
  • Protocol Buffers for high-performance binary serialization

Governance and Maintenance

CycloneDX is governed by the OWASP Foundation and Ecma International TC54. The specification follows a formal standardization process. Guiding principles, governance structure, and branding guidelines are publicly documented.

Notable Implementations

The CycloneDX Tool Center catalogs the extensive ecosystem of open source and proprietary tools supporting the standard. OWASP provides guides for first-time users and integration into existing projects.

Related Standards

  • SPDX (spdx): The other major SBOM format; CycloneDX can leverage SPDX license IDs and expressions

Further Reading

Resources & Links

Specification

Serialization

Documentation

Repository

Validator

Community / Forum

Related Standards

Software Package Data Exchange (SPDX)

Linux Foundation

exchange format