CycloneDX serves as a comprehensive bill of materials specification tailored for today's software supply chains. While it's primarily recognized as a software bill of materials (SBOM) standard, CycloneDX's functionality extends to vulnerability reports and various other bill of materials categories.

Its prominence grew substantially after being endorsed as an approved SBOM data format by the U.S. federal government’s 2021 cybersecurity directive EO14028.

However, the origin of this standard dates back to 2017, and as of June 2023, its current release is version 1.5.

Diverse Applications of CycloneDX

CycloneDX isn't solely for software bills of materials. It caters to a wide range of supply chain security objectives, such as operations bills of materials (OBOM), bills of vulnerabilities (BOV), vulnerability disclosure reports (VDR), and vulnerability exploitability exchanges (VEX). With its latest iteration, three new applications have been introduced: Machine Learning Bill of Materials (ML-BOM), Manufacturing Bill of Materials (MBOM), and SBOMs for Low Code Application Platforms.

The CycloneDX Core Working Group, emphasized the versatility of CycloneDX. It's not limited to software representation; it can depict services, create an inventory of various services, and even generate a hardware bill of materials, which can be invaluable for IoT scenarios.

Additional use cases include:

  • Component inventory: Essential for component analysis, covering a wide range of component types.
  • Vulnerability analysis: Effective for different types of vulnerability assessments.
  • Software package evaluation: Especially beneficial for open-source software packages.
  • License identification and compliance: Comprehensive documentation for open-source licenses, with added functionalities for commercial licenses.
  • Assemblies and Component Pedigree: Representing complex component structures and tracking software component lineage.
  • Component Provenance: Tracing the origin of a component.
  • Service Reliance: Detailing different service-related aspects like endpoint URIs and data flows.

CycloneDX High-level Object Model

CycloneDX Bill of Materials Elements

The CycloneDX model consists of eight primary elements: metadata, components, services, dependencies, compositions, vulnerabilities, formulation, and annotations. Each of these elements provides a unique perspective on the bill of materials, whether it's detailing the components, capturing vulnerabilities, describing the manufacturing process, or adding additional context.

In its latest version, CycloneDX has introduced the support for snippets and broadened its support for relationship types. Relationship types offer valuable insights about the BOM or its components or services.

CycloneDX vs. SPDX

Both CycloneDX and SPDX hold significant positions in the SBOM landscape, being both human and machine-readable. They are the main SBOM formats recognized by the U.S. government’s 2021 cybersecurity order. However, their focus and features vary:

  • Origins: SPDX was tailored primarily for open source license compliance, whereas CycloneDX was crafted with a security-centric approach.
  • File Formats: While both support JSON and XML, SPDX includes YAML and Excel, and CycloneDX includes Protocol Buffers.

Generating a CycloneDX SBOM

To get an accurate CycloneDX SBOM, it's advised to generate it during the build process as part of your CI/CD pipeline. This ensures the most precise inventory of dependencies. Various tools and platforms can be utilized to produce a CycloneDX SBOM in either JSON or XML formats.

Additional resources

  1. CycloneDX Specification &
  2. CycloneDX 1.5 JSON Reference
  3. SBOM Example on GitHub