CycloneDX
CycloneDX 是什么?
CycloneDXAn OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.
● 示例
- 01
A CI job runs `cyclonedx-bom` after every build and uploads the resulting cdx.json to a vulnerability-management platform.
- 02
A vendor delivers a CycloneDX 1.5 SBOM to a customer who requires SBOM submission under U.S. Executive Order 14028 contract clauses.
● 常见问题
CycloneDX 是什么?
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases. 它属于网络安全的 应用安全 分类。
CycloneDX 是什么意思?
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
CycloneDX 是如何工作的?
CycloneDX is a lightweight, OWASP-stewarded BOM specification that emerged in 2017 specifically to support security use cases such as vulnerability correlation, license compliance, and supply-chain transparency. Unlike SPDX (which began as a licensing format), CycloneDX was security-first from day one: it natively models components, services, dependencies, hash values, pedigree, vulnerabilities, and — through extensions — machine-learning models (ML-BOM), SaaS components (SaaSBOM), and cryptographic assets (CBOM). The spec is published in JSON, XML, and Protobuf and is officially recognized by NTIA, CISA, and the U.S. Executive Order 14028 SBOM minimum-elements guidance. Tooling exists across most ecosystems (`cyclonedx-bom` for Python, `cyclonedx-npm` for Node, plugins for Maven, Gradle, .NET, Go, Rust, etc.), and most security platforms can ingest CycloneDX directly. Alongside SPDX, it is one of the two formats most likely to satisfy regulator SBOM requirements through 2026.
如何防御 CycloneDX?
针对 CycloneDX 的防御通常结合技术控制与运营实践,详见上方完整定义。
CycloneDX 还有哪些其他名称?
常见的别称包括: CycloneDX SBOM, OWASP CycloneDX。
● 相关术语
- appsec№ 1185
软件物料清单(SBOM)
以机器可读形式正式描述构成一款软件的组件、库与依赖项及其版本与关系的清单。
- appsec№ 1190
SPDX (Software Package Data Exchange)
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
- appsec№ 1328
VEX (Vulnerability Exploitability eXchange)
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
- appsec№ 271
密码学物料清单(CBOM)
列举软件或系统使用的所有密码学资产(算法、密钥长度、证书、库与协议)的清单,用于支撑密码敏捷性与后量子准备。
- appsec№ 1186
软件供应链安全
保护软件生产链中每一个环节——源代码、依赖、构建、签名、分发与部署——使其免受篡改、恶意代码与完整性破坏的学科。
- ai-security№ 029
AI 物料清单(AIBOM)
对构成 AI 系统的每一项组件——数据集、基础模型、微调数据、依赖库、提示与评估制品——的机读清单,用于安全、合规与问责。