Draft:CycloneDX

Submission declined on 11 December 2025 by MCE89 (talk). This draft's references do not show that the subject qualifies for a Wikipedia article. In summary, the draft needs multiple published sources that are: in-depth (not just passing mentions about the subject) reliable secondary independent of the subject Make sure you add references that meet these criteria before resubmitting. Learn about mistakes to avoid when addressing this issue. If no additional references exist, the subject is not suitable for Wikipedia. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by MCE89 11 hours ago. Last edited by Frietjes 4 hours ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

• Comment: This draft needs additional secondary, independent sources to establish notability. MCE89 (talk) 11:30, 11 December 2025 (UTC)

CycloneDX is an open standard for software and system transparency that provides a machine-readable format for exchanging information about software components, services, vulnerabilities, cryptographic assets, and other supply chain data.^[1] It is a flagship project of the OWASP Foundation and has been ratified as an Ecma International standard (ECMA-424).^[2]

CycloneDX is a bill of materials standard capable of representing software, hardware, services, cryptography, and other types of inventory.^[3] Among its capabilities, it supports software bill of materials (SBOM), cryptographic bill of materials (CBOM), vulnerability disclosure, and security attestations. CycloneDX is one of the three SBOM formats recognised by the National Telecommunications and Information Administration (NTIA) as an acceptable standard for federal software procurement under Executive Order 14028, alongside SPDX and SWID tags.^[4]

CycloneDX was initiated in March 2018 as an OWASP project focused on creating a security-oriented bill of materials specification.^[5] Unlike earlier standards that evolved from licensing and intellectual property compliance use cases, CycloneDX was designed for application security contexts and supply chain component analysis.^[6]

The specification versions are:^[7]

• Version 1.0 (March 2018): Initial release supporting software and hardware components. Introduced the Package URL (PURL) identifier.
• Version 1.1 (March 2019): Added support for component pedigree, enabling description of component lineage including commits, patches, and modifications.
• Version 1.2 (May 2020): Incorporated SWID (ISO/IEC 19770-2:2015) support, services inventory, data classifications, providers, and relationships between services and components.
• Version 1.3 (May 2021): Introduced composition completeness declarations, addressing the NTIA's concept of "known unknowns" in software transparency.
• Version 1.4 (January 2022): Added vulnerability sharing capabilities, including Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX).
• Version 1.5 (June 2023): Added support for Machine Learning Bill of Materials (ML-BOM), configuration and data components, and formulation describing how components were created, tested, trained, evaluated, and deployed.^[8]
• Version 1.6 (April 2024): Introduced Cryptographic bill of materials (CBOM) for post-quantum cryptography readiness and attestation capabilities. Ratified as ECMA-424 (1st Edition) in June 2024.^[9]
• Version 1.7 (October 2025): Added support for citations and patents. Ratified as ECMA-424 (2nd Edition) on 10 December 2025.^[10]

In December 2023, Ecma International established Technical Committee 54 (TC54) for Software and System Transparency, chartered to standardise the CycloneDX specification and related standards.^[11]

CycloneDX supports the following use cases:^[12]

CycloneDX supports multiple bill of materials types:

• Software Bill of Materials (SBOM): Inventory of software components and services with dependency relationships
• Software-as-a-Service Bill of Materials (SaaSBOM): Inventory of services, endpoints, data flows, and classifications for cloud-native applications
• Hardware Bill of Materials (HBOM): Components for consumer electronics, IoT, ICS, and embedded devices
• Machine Learning Bill of Materials (ML-BOM): Inventory of machine learning models and datasets
• Cryptography Bill of Materials (CBOM): Cryptographic assets and dependencies for quantum-safe migration planning
• Operations Bill of Materials (OBOM): Runtime environments, configurations, and operational dependencies
• Manufacturing Bill of Materials (MBOM): Formulation describing how products are made, tested, and deployed

CycloneDX supports several vulnerability-related capabilities:

• Bill of Vulnerabilities (BOV): Vulnerability data sharing between systems
• Vulnerability Disclosure Report (VDR): Communication of known and unknown vulnerabilities affecting components and services
• Vulnerability Exploitability eXchange (VEX): Conveys whether vulnerable components are exploitable in the context of a specific product^[13]

CycloneDX Attestations communicate security standards, claims, evidence, and attestations in a machine-readable format.^[12]

The formulation capability describes workflows, tasks, and steps involved in the creation, testing, training, evaluation, or deployment of software, hardware, or AI/ML models.^[12]

Executive Order 14028, signed by President Joe Biden on 12 May 2021, mandated software bill of materials for federal agency software procurement.^[14] Subsequent NTIA guidance identified CycloneDX as one of the three acceptable SBOM formats, along with SPDX and SWID tags.^[15]

The Cybersecurity and Infrastructure Security Agency (CISA) updated SBOM guidelines in 2024–2025 to require machine-readable formats including CycloneDX for federal agencies.^[16]

The Cyber Resilience Act (Regulation (EU) 2024/2847), adopted on 10 October 2024 and enforced from December 2027, requires manufacturers of products with digital elements to maintain machine-readable SBOMs.^[17]

Germany's Federal Office for Information Security (BSI) published Technical Guideline BSI TR-03183 "Cyber Resilience Requirements for Manufacturers and Products", which specifies requirements for software bill of materials. The guideline requires CycloneDX version 1.6 or higher as an acceptable format.^[18]

CycloneDX operates under a community development model with governance shared between the OWASP Foundation and Ecma International's Technical Committee 54 (TC54).^[11] The CycloneDX Core Working Group manages the specification, with additional Feature Working Groups addressing specific capabilities.^[12]

The specification is published under a royalty-free patent policy, and the reference schemas are available under the Apache License 2.0.^[19]

• Software bill of materials
• Cryptographic bill of materials
• Software composition analysis
• Supply chain attack
• Vulnerability management
• SPDX
• OWASP
• Cyber Resilience Act

• Official website
• Ecma Technical Committee 54
• OWASP CycloneDX Project
• CycloneDX on GitHub

{{OWASP}}

Category:Computer file formats Category:Computer security standards Category:Data serialization formats Category:Ecma standards Category:Free software Category:Open formats Category:OWASP Category:Software development process Category:Supply chain management