SYSTEM Cited by 1 source

CycloneDX

CycloneDX is an OWASP project — an open, lightweight, machine-readable Software Bill of Materials (SBOM) standard. It encodes the inventory of components that make up a software artifact in JSON, XML, or Protocol Buffer form, with schema support for components, services, dependencies, vulnerabilities, licenses, and compositions.

The format is one of the two industry-canonical SBOM standards (the other being SPDX) and is emitted natively by tools like systems/syft and consumed by tools like systems/grype.

Key elements

• components — each package / library / OS package the artifact contains. Identified by name + version + optional purl (Package URL) + hashes + licenses.
• dependencies — edges between components, capturing the dependency graph.
• vulnerabilities — optional; embed known-CVE references per component.
• metadata — build-time info: timestamp, tools used, author, supplier.

Canonical wiki use (Zalando 2023-04-12)

Named as one of the "common formats" Zalando cites for portability + tooling integration: "Common formats like CycloneDX or SPDX help with portability and integration into various tooling." (Source: sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game).

Seen in

• sources/2023-04-12-zalando-how-software-bill-of-materials-change-the-dependency-game — canonical wiki mention.

Related

• concepts/sbom-software-bill-of-materials — the concept CycloneDX realises.
• systems/spdx — the other canonical SBOM format.
• systems/syft — common generator that emits CycloneDX.
• systems/grype — common vulnerability scanner that consumes CycloneDX.