Capabilities

 

CycloneDX was designed from the ground-up to be a Bill of Materials (BOM) format, capable of capturing complex inventory information for a wide range of cybersecurity and software supply chain use cases.

With CycloneDX, it is possible to reference a component, service, or vulnerability inside a BOM from other systems or other BOMs. This deep-linking capability is referred to as BOM-Link and is a formally registered URN, governed by IANA, and compliant with RFC-8141.

Software Bill of Materials (SBOM)

A complete and accurate inventory of all first-party and third-party components is essential for risk identification. BOMs should ideally contain all direct and transitive components and the dependency relationships between them. CycloneDX supports a wide range of software components, including:

• Applications
• Containers
• Libraries
• Files
• Firmware
• Frameworks
• Operating Systems

Learn more about Software Bill of Materials (SBOM)

Software-as-a-Service BOM (SaaSBOM)

Modern software often relies on external services, or is made up entirely of services. CycloneDX is capable of describing any type of service including:

• Microservice Architecture
• Service Orientated Architecture (SOA)
• Function as a Service (FaaS)
• n-Tier Architecture
• Actor model
• System of Systems

CycloneDX is protocol agnostic and is capable of describing services over HTTP(S), REST, GraphQL, MQTT, and intra-process communication. The specification provides enough information about services to automatically generate dataflow diagrams useful in threat modeling.

Learn more about Software-as-a-Service BOM (SaaSBOM)

Vulnerability Exploitability Exchange (VEX)

Known vulnerabilities inherited from the use of third-party and open source software and the exploitability of the vulnerabilities can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for both VEX and security advisory use cases.

• VEX information can be represented inside an existing BOM, or in a dedicated VEX BOM
• Supports known and unknown vulnerabilities against components and services
• Communicates the vulnerability details, exploitability, and detailed analysis

Learn more about Vulnerability Exploitability Exchange (VEX)

Manufacturing Bill of Materials (MBOM)

CycloneDX supports many types of components, including hardware devices, making it ideal for use with consumer electronics, IoT, ICS, and other types of embedded devices. CycloneDX fills an important role in-between traditional eBOM and mBOM use cases for hardware devices.

• Supports device as a first-class component type
• Utilizes a formal and extensible taxonomy that defines a wide range of hardware devices and configurations

Learn more about Manufacturing Bill of Materials (MBOM)

Operations Bill of Materials (OBOM)

CycloneDX is a full-stack bill of materials standard supporting entire runtime environments consisting of hardware, firmware, containers, operating systems, applications and their libraries. Coupled with the ability to specify configuration makes CycloneDX ideal for Operational Bill of Materials. OBOM is a security behavior defined in BSIMM and similar maturity models.

Learn more about Operations Bill of Materials (OBOM)

Bill of Vulnerabilities (BOV)

CycloneDX BOMs may consist solely of vulnerabilities, thus can be used to share vulnerability data between systems and sources of vulnerability intelligence.

Learn more about Bill of Vulnerabilities (BOV)

Common Release Notes Format

CycloneDX standardizes release notes into a common, machine-readable format. This capability unlocks new workflow potential for software publishers and consumers alike. This functionality works with or without the Bill of Materials capabilities of the spec.

Learn more about Common Release Notes Format