CycloneDX BOM Standard

CycloneDX is a modern standard for the software supply chain. SBOM, SaaSBOM, CBOM, OBOM, VEX, and more. CycloneDX is a OWASP project ratified as ECMA-424

Verified
We've verified that the organizationCycloneDX controls the domain:
- cyclonedx.org
Learn more about verified organizations

README.md

Welcome to the CycloneDX Community

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:

Software Bill of Materials (SBOM)
Software-as-a-Service Bill of Materials (SaaSBOM)
Hardware Bill of Materials (HBOM)
Machine Learning Bill of Materials (ML-BOM)
Cryptography Bill of Materials (CBOM)
Manufacturing Bill of Materials (MBOM)
Operations Bill of Materials (OBOM)
Vulnerability Disclosure Reports (VDR)
Vulnerability Exploitability eXchange (VEX)
CycloneDX Attestations (CDXA)

The CycloneDX project provides standards in XML, JSON, and Protocol Buffers, as well as a largecollection of official and community supported toolsthat create or interoperate with the standard.

The project's website has many documenteduse cases and examplesthat provide a springboard to SBOM adoption.

The project operates as ameritocracywhoseguiding principlesreinforce itsrisk-based approach to standards development.The project encouragescommunity participationin the development of thestandard and supporting tools.

Background

Modern software is assembled using third-party and open source components. They are glued together in complex andunique ways and integrated with original code to achieve the desired functionality. An accurate inventory of allcomponents enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.

CycloneDX was created for this purpose.

Strategic direction and maintenance of the specification is managed by the CycloneDX Core Working Group,is backed by theOWASP Foundation,and is supported by the global information security community.

PinnedLoading

specificationspecificationPublic
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, an…
XSLT 389 66
cyclonedx-pythoncyclonedx-pythonPublic
CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments
Python 276 71
cyclonedx-maven-plugincyclonedx-maven-pluginPublic
Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
Java 316 88
cyclonedx-clicyclonedx-cliPublic
CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
C# 345 63
bom-examplesbom-examplesPublic
A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)
191 69
cyclonedx-node-modulecyclonedx-node-modulePublic
creates CycloneDX Software-Bill-of-Materials (SBOM) from node-based projects
126 38

Repositories

Showing 10 of 60 repositories

cyclonedx-node-npm Public
Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
CycloneDX/cyclonedx-node-npm’s past year of commit activity
JavaScript 82Apache-2.0 22 15 (4 issues need help) 9 UpdatedMar 29, 2025
cyclonedx-webpack-plugin Public
Generate CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.
CycloneDX/cyclonedx-webpack-plugin’s past year of commit activity
JavaScript 26Apache-2.0 9 9 (7 issues need help) 6 UpdatedMar 29, 2025
cyclonedx-php-library Public
PHP Implementation of OWASP CycloneDX Bill of Materials (BOM)
CycloneDX/cyclonedx-php-library’s past year of commit activity
PHP 9Apache-2.00 13 (4 issues need help) 5 UpdatedMar 29, 2025
cyclonedx-python Public
CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments
CycloneDX/cyclonedx-python’s past year of commit activity
Python 276Apache-2.0 71 16 (12 issues need help) 7 UpdatedMar 29, 2025
cyclonedx-node-yarn Public
Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.
CycloneDX/cyclonedx-node-yarn’s past year of commit activity
JavaScript 21Apache-2.0 6 15 (11 issues need help) 4 UpdatedMar 29, 2025
cyclonedx-gradle-plugin Public
Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
CycloneDX/cyclonedx-gradle-plugin’s past year of commit activity
Java 183Apache-2.0 79 61 (2 issues need help) 5 UpdatedMar 28, 2025
cyclonedx-property-taxonomy Public
A taxonomy of all official CycloneDX property namespaces and names
CycloneDX/cyclonedx-property-taxonomy’s past year of commit activity
Ruby 15Apache-2.0 34 11 (5 issues need help) 3 UpdatedMar 28, 2025
cyclonedx-php-composer Public
Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
CycloneDX/cyclonedx-php-composer’s past year of commit activity
PHP 61Apache-2.0 7 14 (8 issues need help) 0 UpdatedMar 28, 2025
cdxgen Public
Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT:https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen
CycloneDX/cdxgen’s past year of commit activity
JavaScript 659Apache-2.0 176 362 (29 issues need help) 12 UpdatedMar 27, 2025
cyclonedx-javascript-library Public
Core functionality of OWASP CycloneDX for JavaScript (Node.js or WebBrowser) written in TypeScript.
CycloneDX/cyclonedx-javascript-library’s past year of commit activity
TypeScript 16Apache-2.0 13 14 (10 issues need help) 6 UpdatedMar 27, 2025