Skip to content
@CycloneDX

CycloneDX BOM Standard

CycloneDX is a modern standard for the software supply chain. SBOM, SaaSBOM, CBOM, OBOM, VEX, and more. CycloneDX is a OWASP project ratified as ECMA-424
README.md

Welcome to the CycloneDX Community

CycloneDX logo

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports:

  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Machine Learning Bill of Materials (ML-BOM)
  • Cryptography Bill of Materials (CBOM)
  • Manufacturing Bill of Materials (MBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)
  • CycloneDX Attestations (CDXA)

The CycloneDX project provides standards in XML, JSON, and Protocol Buffers, as well as a large collection of official and community supported tools that create or interoperate with the standard.

The project's website has many documented use cases and examples that provide a springboard to SBOM adoption.

The project operates as a meritocracy whose guiding principles reinforce its risk-based approach to standards development. The project encourages community participation in the development of the standard and supporting tools.

Background

Modern software is assembled using third-party and open source components. They are glued together in complex and unique ways and integrated with original code to achieve the desired functionality. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.

CycloneDX was created for this purpose.

Strategic direction and maintenance of the specification is managed by the CycloneDX Core Working Group, is backed by the OWASP Foundation, and is supported by the global information security community.

Pinned Loading

  1. specification specification Public

    OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, an…

    XSLT 500 84

  2. cyclonedx-python cyclonedx-python Public

    CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments

    Python 371 93

  3. cyclonedx-maven-plugin cyclonedx-maven-plugin Public

    Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

    Java 365 96

  4. cyclonedx-cli cyclonedx-cli Public

    CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.

    C# 487 76

  5. bom-examples bom-examples Public

    A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)

    222 75

  6. cyclonedx-node-module cyclonedx-node-module Public

    creates CycloneDX Software-Bill-of-Materials (SBOM) from Node.js-based projects

    141 39

Repositories

Showing 10 of 64 repositories
  • cyclonedx-node-yarn Public

    Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.

    CycloneDX/cyclonedx-node-yarn’s past year of commit activity
    JavaScript 25 Apache-2.0 9 15 (12 issues need help) 15 Updated Apr 19, 2026
  • cyclonedx-bom-studio Public

    Build, edit, validate, and export CycloneDX BOMs through an intuitive browser-based interface

    CycloneDX/cyclonedx-bom-studio’s past year of commit activity
    Vue 19 Apache-2.0 6 6 16 Updated Apr 19, 2026
  • cyclonedx-php-composer Public

    Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects

    CycloneDX/cyclonedx-php-composer’s past year of commit activity
    PHP 82 Apache-2.0 7 16 (9 issues need help) 6 Updated Apr 18, 2026
  • cyclonedx-assessors-studio Public

    Assessors Studio operationalizes CycloneDX Attestations (CDXA): perform assessments, collect evidence, make claims, and issue machine-readable CycloneDX attestations, optionally legally binding for B2B and B2G use cases.

    CycloneDX/cyclonedx-assessors-studio’s past year of commit activity
    TypeScript 12 Apache-2.0 1 2 2 Updated Apr 18, 2026
  • cyclonedx-node-npm Public

    Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.

    CycloneDX/cyclonedx-node-npm’s past year of commit activity
    JavaScript 132 Apache-2.0 26 12 (6 issues need help) 11 Updated Apr 18, 2026
  • cyclonedx-webpack-plugin Public

    Generate CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.

    CycloneDX/cyclonedx-webpack-plugin’s past year of commit activity
    TypeScript 30 Apache-2.0 11 11 (9 issues need help) 12 Updated Apr 18, 2026
  • cyclonedx-javascript-library Public

    Functionality and DataModels of OWASP CycloneDX for JavaScript (Node.js or WebBrowser) written in TypeScript.

    CycloneDX/cyclonedx-javascript-library’s past year of commit activity
    TypeScript 23 Apache-2.0 16 14 (9 issues need help) 17 Updated Apr 18, 2026
  • specification Public

    OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX

    CycloneDX/specification’s past year of commit activity
    XSLT 500 Apache-2.0 84 158 (7 issues need help) 34 Updated Apr 18, 2026
  • cyclonedx-php-library Public

    Functionality and DataModels of OWASP CycloneDX for PHP

    CycloneDX/cyclonedx-php-library’s past year of commit activity
    PHP 13 Apache-2.0 0 17 (5 issues need help) 12 Updated Apr 18, 2026
  • cyclonedx-node-module Public

    creates CycloneDX Software-Bill-of-Materials (SBOM) from Node.js-based projects

    CycloneDX/cyclonedx-node-module’s past year of commit activity
    141 Apache-2.0 39 1 3 Updated Apr 18, 2026
View all repositories

Top languages

Loading…

Most used topics

Loading…