CycloneDX.

An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases. Pertenece a la categoría de Seguridad de aplicaciones en ciberseguridad.

An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.

CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.

Las defensas contra CycloneDX combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.

Nombres alternativos comunes: CycloneDX SBOM, OWASP CycloneDX.