CycloneDX
Was ist CycloneDX?
CycloneDXAn OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.
● Beispiele
- 01
A CI job runs `cyclonedx-bom` after every build and uploads the resulting cdx.json to a vulnerability-management platform.
- 02
A vendor delivers a CycloneDX 1.5 SBOM to a customer who requires SBOM submission under U.S. Executive Order 14028 contract clauses.
● Häufige Fragen
Was ist CycloneDX?
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases. Es gehört zur Kategorie Anwendungssicherheit der Cybersicherheit.
Was bedeutet CycloneDX?
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
Wie funktioniert CycloneDX?
CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.
Wie schützt man sich gegen CycloneDX?
Schutzmaßnahmen gegen CycloneDX kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für CycloneDX?
Übliche alternative Bezeichnungen: CycloneDX SBOM, OWASP CycloneDX.
● Verwandte Begriffe
- appsec№ 1185
Software Bill of Materials (SBOM)
Formales, maschinenlesbares Verzeichnis der Komponenten, Bibliotheken und Abhängigkeiten einer Software einschließlich ihrer Versionen und Beziehungen.
- appsec№ 1190
SPDX (Software Package Data Exchange)
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
- appsec№ 1328
VEX (Vulnerability Exploitability eXchange)
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
- appsec№ 271
Cryptographic Bill of Materials (CBOM)
Verzeichnis aller von Software oder Systemen verwendeten kryptografischen Assets - Algorithmen, Schlüssellängen, Zertifikate, Bibliotheken und Protokolle - zur Unterstützung von Kryptoagilität und Post-Quantum-Bereitschaft.
- appsec№ 1186
Software-Supply-Chain-Sicherheit
Disziplin zum Schutz jedes Glieds der Software-Produktion - Quellcode, Abhängigkeiten, Build, Signatur, Distribution und Deployment - gegen Manipulation, bösartigen Code und Integritätsverlust.
- ai-security№ 029
AI Bill of Materials (AIBOM)
Maschinenlesbares Inventar aller Komponenten eines KI-Systems — Datensätze, Basismodelle, Fine-Tuning-Daten, Bibliotheken, Prompts und Evaluierungsartefakte — für Sicherheit, Compliance und Accountability.