ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

CYCLONEDX-SPEC

CycloneDX OWASP SBOM JSON/XML 1.6 2024.

Definition

CycloneDX 1.6 features: (1) Components: type (library, framework, container, OS, device, file, etc.), bom-ref unique identifier, name, version, purl Package URL (pkg:npm/lodash@4.17.21), CPE (Common Platform Enumeration), licenses, hashes, supplier. (2) Dependencies: ref-to-ref relationships dependency graph. (3) Vulnerabilities: CVE references, advisories, ratings CVSSv3.1/v4 scores, impact, recommendation. (4) VEX (Vulnerability Exchange): product status against vulnerabilities (affected, not_affected, fixed, under_investigation). (5) Pedigree: commit data, patches, ancestors. (6) Formulations 1.5+: build steps + inputs + outputs like SLSA Provenance. (7) Services 1.4+: external services (REST APIs, etc.). Formats: JSON (most common), XML, Protocol Buffers. Tools: Syft (Anchore generate SBOM container), cdxgen, OWASP Dependency-Track (CycloneDX SBOM aggregator + vuln scanning), CycloneDX Maven Plugin, npm cdxgen. Adoption massive: ~50% SBOM produced CycloneDX 2024 (vs SPDX ~40%).

Origin

CycloneDX initiated 2017 by OWASP Foundation by Steve Springett ; donated OWASP project 2018 ; CycloneDX v1.0 2018 ; CycloneDX v1.6 release June 2024 ; massive adoption ~50% SBOM 2024.

Example in context

Anchore Syft scans container image kubernetes/kube-apiserver:v1.30.0 and produces CycloneDX 1.6 JSON SBOM: lists ~200 components (Go libraries, base image OS packages, kube-apiserver binary itself), purls + licenses, SHA256 hashes ; SBOM uploaded Dependency-Track for continuous vulnerability monitoring.

Last updated: May 16, 2026