ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

CYCLONEDX-SPEC

CycloneDX OWASP SBOM JSON/XML 1.6 2024.

Définition

CycloneDX 1.6 features : (1) Components : type (library, framework, container, OS, device, file, etc.), bom-ref unique identifier, name, version, purl Package URL (pkg:npm/lodash@4.17.21), CPE (Common Platform Enumeration), licenses, hashes, supplier. (2) Dependencies : ref-to-ref relationships dependency graph. (3) Vulnerabilities : CVE references, advisories, ratings CVSSv3.1/v4 scores, impact, recommendation. (4) VEX (Vulnerability Exchange) : product status against vulnerabilities (affected, not_affected, fixed, under_investigation). (5) Pedigree : commit data, patches, ancestors. (6) Formulations 1.5+ : build steps + inputs + outputs comme SLSA Provenance. (7) Services 1.4+ : external services (REST APIs, etc.). Formats : JSON (most common), XML, Protocol Buffers. Tools : Syft (Anchore generate SBOM container), cdxgen, OWASP Dependency-Track (CycloneDX SBOM aggregator + vuln scanning), CycloneDX Maven Plugin, npm cdxgen. Adoption massive : ~50% SBOM produced CycloneDX 2024 (vs SPDX ~40%).

Origine

CycloneDX initiated 2017 par OWASP Foundation par Steve Springett ; donated OWASP project 2018 ; CycloneDX v1.0 2018 ; CycloneDX v1.6 release juin 2024 ; adoption massive ~50% SBOM 2024.

Exemple en contexte

Anchore Syft scanne container image kubernetes/kube-apiserver:v1.30.0 et produit SBOM CycloneDX 1.6 JSON : liste ~200 components (Go libraries, base image OS packages, kube-apiserver binary itself), purls + licenses, hashes SHA256 ; SBOM uploaded Dependency-Track for continuous vulnerability monitoring.

Termes liés

Dernière mise à jour: 16 mai 2026