CycloneDX
CycloneDX とは何ですか?
CycloneDXAn OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.
● 例
- 01
A CI job runs `cyclonedx-bom` after every build and uploads the resulting cdx.json to a vulnerability-management platform.
- 02
A vendor delivers a CycloneDX 1.5 SBOM to a customer who requires SBOM submission under U.S. Executive Order 14028 contract clauses.
● よくある質問
CycloneDX とは何ですか?
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases. サイバーセキュリティの アプリケーションセキュリティ カテゴリに属します。
CycloneDX とはどういう意味ですか?
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
CycloneDX はどのように機能しますか?
CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.
CycloneDX からどのように防御しますか?
CycloneDX に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。
CycloneDX の別名は何ですか?
一般的な別名: CycloneDX SBOM, OWASP CycloneDX。
● 関連用語
- appsec№ 1185
ソフトウェア部品表(SBOM)
ソフトウェアを構成するコンポーネント・ライブラリ・依存関係を、バージョンや関係とともに機械可読な形で正式に列挙したインベントリ。
- appsec№ 1190
SPDX (Software Package Data Exchange)
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
- appsec№ 1328
VEX (Vulnerability Exploitability eXchange)
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
- appsec№ 271
暗号部品表(CBOM)
ソフトウェアやシステムが利用するすべての暗号資産(アルゴリズム・鍵長・証明書・ライブラリ・プロトコル)を一覧化し、暗号アジリティとポスト量子対応を支えるインベントリ。
- appsec№ 1186
ソフトウェアサプライチェーンセキュリティ
ソースコード・依存関係・ビルド・署名・配布・デプロイに至るまで、ソフトウェア製造の各リンクを改ざん・悪意あるコード・完全性喪失から守る取り組み。
- ai-security№ 029
AI Bill of Materials(AIBOM)
データセット・ベースモデル・ファインチューニングデータ・ライブラリ・プロンプト・評価成果物など、AI システムを構成するすべての要素を機械可読でまとめた一覧。セキュリティ・コンプライアンス・説明責任に用いる。