CycloneDX.

An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases. Cette notion relève de la catégorie Sécurité applicative en cybersécurité.

An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.

CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.

Les défenses contre CycloneDX combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : CycloneDX SBOM, OWASP CycloneDX.