Software Bill of Materials (SBOM)

 

Inventory software components and services and the dependency relationships between them

A complete and accurate inventory of all first-party and third-party components is essential for risk identification. BOMs should ideally contain all direct and transitive components and the dependency relationships between them.

CycloneDX far exceeds the Minimum Elements for Software Bill of Materials as defined by the National Telecommunications and Information Administration (NTIA) in response to U.S. Executive Order 14028.

Adopting CycloneDX allows organizations to quickly meet these minimum requirements and mature into using more sophisticated use cases over time. CycloneDX is capable of achieving all SBOM requirements defined in the OWASP Software Component Verification Standard (SCVS).

High-Level Object Model

CycloneDX can represent any type of software component along with services the software relies on. Refer to Use Cases for details on the many possibilities that exist for beginner, intermediate, and advanced SBOM use cases.

CycloneDX Object Model Swimlane

Examples

BOMs demonstrating SBOM capabilities can be found at https://github.com/CycloneDX/bom-examples

See also

Additional Capabilities

SBOM

Software Bill of Materials

Inventory software components and services and the dependency relationships between them

 

SaaSBOM

Software as a Service Bill of Materials

Inventory services, endpoints, and data flows and classifications that power cloud-native applications

 

CBOM

Cryptography Bill of Materials

Discover, manage and report on cryptography in preparation for quantum-safe systems and applications

 

VEX

Vulnerability Exploitability eXchange

Convey the exploitability of vulnerable components in the context of the product in which they're used

 

HBOM

Hardware Bill of Materials

Inventory hardware components for IoT, ICS, and other types of embedded and connected devices

 

ML-BOM

Machine-Learning Bill of Materials

Model and dataset transparency for security, privacy, safety and ethical considerations

 

Attestations

Attestations (CDXA)

Machine-readable statements of claims, evidence, and testimony in compliance with standards

 

MBOM

Manufacturing Bill of Materials

Declared and observed formulation for reproducibility throughout product lifecycle

 

OBOM

Operations Bill of Materials

Full-stack inventory of runtime environments, configurations, and additional dependencies

 

VDR

Vulnerability Disclosure Report

Communicate known and unknown vulnerabilities affecting components and services

 

BOM-Link

Bill of Materials Linkage Syntax

Reference components, services, or vulnerabilities in BOMs from other systems or other BOMs

 

BOV

Bill of Vulnerabilities

Share vulnerability data between systems and sources of vulnerability intelligence

 

Release Notes

Common Release Notes Format

Standardizes release notes unlocking new workflows for software publishers and consumers

 

CycloneDX Supporters

Apiiro
Bloomberg
Contrast Security
Ecma International
Fortress Information Security
IBM
IonChannel
Kondukto
Lockheed Martin
NowSecure
OWASP
Rezilion
ServiceNow
Sonatype