11![ CycloneDX logo] ( ../../../assets/images/logos/cyclonedx.png " OWASP CycloneDX ") { align=right width=180 }
22
3- OWASP [ CycloneDX] [ cyclonedx ] is a full-stack Bill of Materials (BOM) standard
4- that provides advanced supply chain capabilities for cyber risk reduction.
3+ OWASP [ CycloneDX] [ cyclonedx ] is a Bill of Materials (BOM) standard
4+ that provides supply chain capabilities for cyber risk reduction.
55This [ project] [ cyclonedx-project ] is one of the OWASP flagship projects.
66
7- ### What is CycloneDX?
7+ #### What is CycloneDX?
88
99CycloneDX is a widely used standard for various types of [ Bills of Materials] [ cyclonedx-spec ] .
10- It provides an organization's [ supply chain] [ cschain ] with software security risk reduction.
10+ Think of a Bill of Materials (BOM) as a list of the components in a deliverable;
11+ a real world example might be receiving a new mobile phone and the package contains:
12+
13+ * the mobile phone itself
14+ * a charger cable
15+ * various disclaimers and warranties
16+
17+ This itemized list can be called a Bill of Materials, and it means the consumer knows exactly what is provided.
18+
19+ In a similar way, CycloneDX provides software security risk reduction for an organization's [ supply chain] [ cschain ]
20+ by specifying what is in the (often third party) components that make up the deliverable product.
1121The specification supports:
1222
1323* [ Software Bill of Materials] [ cyclonedx-sbom ] (SBOM)
24+ * [ Cryptography Bill of Materials] [ cbom ] (CBOM)
1425* [ Software-as-a-Service Bill of Materials] [ cyclonedx-saasbom ] (SaaSBOM)
1526* [ Hardware Bill of Materials] [ cyclonedx-hbom ] (HBOM)
1627* [ Machine-learning Bill of Materials] [ cyclonedx-mlbom ] (ML-BOM)
@@ -28,6 +39,9 @@ or interoperate with the CycloneDX standard.
2839
2940#### Why use it?
3041
42+ BOMs are useful. From answering questions such as "What cryptography are we shipping in that product?"
43+ to listing vulnerabilities in a deliverable in a consumable way along with a listing of software packages / libraries.
44+
3145CycloneDX is a very well established standard for SBOMs and various other types of BOM.
3246There is a huge ecosystem built around CycloneDX and it is used globally by many companies.
3347In addition SBOMs are mandatory for many industries and various governments - at some point every organization
@@ -37,12 +51,14 @@ CycloneDX also provides standards for other types of BOMs that may be required i
3751along with standards for release notes and [ responsible disclosure] [ csdisclose ] .
3852It is useful to use CycloneDX throughout the supply chain as it promotes interoperability between the various tools.
3953
54+ If there is a security related list that is being generated, then chances are there is a CycloneDX BOM for that.
55+
4056#### How to use it
4157
4258The OWASP Spotlight series provides an overview of CycloneDX along with the a demonstration of using SBOMs:
4359'Project 21 - [ OWASP CycloneDX] [ spotlight21 ] '.
4460
45- CycloneDX is an easy to understand standard that can be augmented to suit all parts of a supply chain,
61+ CycloneDX is an easy to understand standard that can be extended to suit all parts of a supply chain,
4662and there are [ many tools] [ cyclonedx-tools ] (more than 220 as of February 2024) that interoperate with CycloneDX.
4763
4864The easiest way to use CycloneDX is to select tools from this list for any of the supported BOM types,
@@ -55,6 +71,7 @@ and [various tools][cyclonedx-tools] can be chosen that are able to export the S
5571The OWASP Developer Guide is a community effort; if there is something that needs changing
5672then [ submit an issue] [ issue070203 ] or [ edit on GitHub] [ edit070203 ] .
5773
74+ [ cbom ] : https://cyclonedx.org/capabilities/cbom/
5875[ cschain ] : https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security_Cheat_Sheet
5976[ csdisclose ] : https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet
6077[ cyclonedx ] : https://cyclonedx.org/
0 commit comments