CYCLONEDX-SPEC
CycloneDX OWASP SBOM JSON/XML 1.6 2024.
Definition
CycloneDX 1.6 features: (1) Components: type (library, framework, container, OS, device, file, etc.), bom-ref unique identifier, name, version, purl Package URL (pkg:npm/lodash@4.17.21), CPE (Common Platform Enumeration), licenses, hashes, supplier. (2) Dependencies: ref-to-ref relationships dependency graph. (3) Vulnerabilities: CVE references, advisories, ratings CVSSv3.1/v4 scores, impact, recommendation. (4) VEX (Vulnerability Exchange): product status against vulnerabilities (affected, not_affected, fixed, under_investigation). (5) Pedigree: commit data, patches, ancestors. (6) Formulations 1.5+: build steps + inputs + outputs like SLSA Provenance. (7) Services 1.4+: external services (REST APIs, etc.). Formats: JSON (most common), XML, Protocol Buffers. Tools: Syft (Anchore generate SBOM container), cdxgen, OWASP Dependency-Track (CycloneDX SBOM aggregator + vuln scanning), CycloneDX Maven Plugin, npm cdxgen. Adoption massive: ~50% SBOM produced CycloneDX 2024 (vs SPDX ~40%).
Origin
CycloneDX initiated 2017 by OWASP Foundation by Steve Springett ; donated OWASP project 2018 ; CycloneDX v1.0 2018 ; CycloneDX v1.6 release June 2024 ; massive adoption ~50% SBOM 2024.
Example in context
Anchore Syft scans container image kubernetes/kube-apiserver:v1.30.0 and produces CycloneDX 1.6 JSON SBOM: lists ~200 components (Go libraries, base image OS packages, kube-apiserver binary itself), purls + licenses, SHA256 hashes ; SBOM uploaded Dependency-Track for continuous vulnerability monitoring.
Related terms
- SPDX 3.0 — competing SBOM format.