GitPedia

Specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX

From CycloneDX·Updated June 19, 2026·View on GitHub·

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. CycloneDX is an [Ecma International](https://ecma-international.org/) standard published as [ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/). The [OWASP Foundation](https://owasp.org/) and Ecma International [Technical Committee for Software & System Transparency (TC54)](https://tc54.org/) drive the continued advancem... The project is written primarily in XSLT, distributed under the Apache License 2.0 license, first published in 2017. Key topics include: bill-of-materials, bom, cbom, cpe, cyclonedx.

Latest release: 1.7.1
June 2, 2026View Changelog →

CycloneDX Bill of Materials Specification (ECMA-424)

License
ECMA TC54
Website
Slack Invite
Group Discussion
Twitter
Build Docs
CT Java
CT JavaScript
CT PHP
CT ProtoBuf

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for
cyber risk reduction. CycloneDX is an Ecma International standard published as
ECMA-424.
The OWASP Foundation and Ecma International Technical Committee for Software & System Transparency (TC54)
drive the continued advancement of the specification.

The specification supports:

  • Software Bill of Materials (SBOM)
  • Software-as-a-Service Bill of Materials (SaaSBOM)
  • Hardware Bill of Materials (HBOM)
  • Machine Learning Bill of Materials (ML-BOM)
  • Cryptography Bill of Materials (CBOM)
  • Manufacturing Bill of Materials (MBOM)
  • Operations Bill of Materials (OBOM)
  • Vulnerability Disclosure Reports (VDR)
  • Vulnerability Exploitability eXchange (VEX)
  • CycloneDX Attestations (CDXA)

A Note on the Standard and Schemas

CycloneDX is an Ecma International standard published as ECMA-424 under a royalty-free patent policy.
The CycloneDX schemas in this repository are the official interpretations of the standard and are available under the
Apache 2.0 license. The JSON Schema is the reference implementation
for the standard.

Use Cases

The CycloneDX project maintains a list of achievable use cases. Examples for each
use case are provided in both XML and JSON.

Tool Center

The CycloneDX Tool Center is a community effort to establish a marketplace of
free, open source, and proprietary tools and solutions that support the CycloneDX specification.

Media Types

The following media types are officially registered with IANA:

Media TypeFormatAssignment
application/vnd.cyclonedx+xmlXMLIANA
application/vnd.cyclonedx+jsonJSONIANA
application/x.vnd.cyclonedx+protobufProtocol Buffer

Specific versions of CycloneDX can be specified by using the version parameter. For example: application/vnd.cyclonedx+xml; version=1.6.

Recognized file patterns

The following file names are conventionally used for storing CycloneDX BOM files:

  • bom.json for JSON encoded CycloneDX BOM files.
  • bom.xml for XML encoded CycloneDX BOM files.

Alternatively, files that match the glob pattern below are also recognized:

  • *.cdx.json for JSON encoded CycloneDX BOM files.
  • *.cdx.xml for XML encoded CycloneDX BOM files.

Release History

VersionRelease Date
CycloneDX 1.721 October 2025
CycloneDX 1.609 April 2024
CycloneDX 1.526 June 2023
CycloneDX 1.412 January 2022
CycloneDX 1.304 May 2021
CycloneDX 1.226 May 2020
CycloneDX 1.103 March 2019
CycloneDX 1.026 March 2018
Initial Prototype01 May 2017

Copyright & License

CycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache License 2.0

Contributors

Showing top 12 contributors by commit count.

stevespringett

stevespringett

794 commits

jkowalleck

jkowalleck

484 commits

mrutkows

mrutkows

78 commits

Mehrn0ush

Mehrn0ush

45 commits

coderpatros

coderpatros

43 commits

dependabot[bot]

dependabot[bot]

36 commits

bhess

bhess

25 commits

wiebe-vandendriessche

wiebe-vandendriessche

15 commits

Nicolas-Peiffer

Nicolas-Peiffer

15 commits

jvdsn

jvdsn

13 commits

n1ckl0sk0rtge

n1ckl0sk0rtge

8 commits

tokcum

tokcum

8 commits

View all contributors on GitHub →

This article is auto-generated from CycloneDX/specification via the GitHub API.Last fetched: 6/27/2026