CycloneDX - OWASP Project
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.
CycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved.
The specification supports
- Software Bill of Materials (SBOM)
- Software-as-a-Service Bill of Materials (SaaSBOM)
- Hardware Bill of Materials (HBOM)
- Machine Learning Bill of Materials (ML-BOM)
- Manufacturing Bill of Materials (MBOM)
- Operations Bill of Materials (OBOM)
- Vulnerability Disclosure Reports (VDR)
- Vulnerability Exploitability eXchange (VEX).
CycloneDX in comparison with its peers
CycloneDX builds on top of the work SPDX - The Software Package Data Exchange has accomplished with license IDs, but varies greatly in its approach towards building a software bill of material specification.
The CycloneDX specification compliments this work as CycloneDX documents can incorporate SWID - Software Identification Tagging tags and other high-level SWID metadata and optionally include entire SWID documents. Use of SWID tag ID's are useful in determining if a specific component has known vulnerabilities.
The CycloneDX specification compliments CPE - Common Platform Enumeration as CycloneDX documents can easily be used to construct exact CPE identifiers that are useful in determining if a specific component has known vulnerabilities.
Key Online Resources
- CycloneDX, Project Homepage [Online, 2024-04-03]
- CycloneDX Specification, Github Repository [Online, 2024-04-03]
- CycloneDX BOM Examples, Github Repository [Online, 2024-04-03]
info alert: This article is a stub.