CycloneDX.

An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases. Pertence à categoria Segurança de aplicações da cibersegurança.

An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.

CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.

As defesas contra CycloneDX costumam combinar controles técnicos e práticas operacionais, conforme detalhado na definição acima.

Nomes alternativos comuns: CycloneDX SBOM, OWASP CycloneDX.