{"id":13728091,"url":"https://github.com/CycloneDX/specification","last_synced_at":"2025-05-08T00:31:10.154Z","repository":{"id":21418957,"uuid":"92700249","full_name":"CycloneDX/specification","owner":"CycloneDX","description":"OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX","archived":false,"fork":false,"pushed_at":"2024-11-04T14:40:51.000Z","size":1862,"stargazers_count":363,"open_issues_count":135,"forks_count":59,"subscribers_count":26,"default_branch":"master","last_synced_at":"2024-11-04T15:37:34.555Z","etag":null,"topics":["bill-of-materials","bom","cbom","cpe","cyclonedx","license","machine-learning","mbom","owasp","saasbom","sbom","software","software-bill-of-materials","spdx","specification","standard","supply-chain","swid","tc54","vex"],"latest_commit_sha":null,"homepage":"https://cyclonedx.org/","language":"XSLT","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CycloneDX.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"]}},"created_at":"2017-05-29T02:22:06.000Z","updated_at":"2024-11-04T14:41:53.000Z","dependencies_parsed_at":"2023-12-02T10:24:05.915Z","dependency_job_id":"a4fb11ef-1129-4c9e-8fca-790bdf1d01d7","html_url":"https://github.com/CycloneDX/specification","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fspecification","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fspecification/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fspecification/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fspecification/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CycloneDX","download_url":"https://codeload.github.com/CycloneDX/specification/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224679816,"owners_count":17351873,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","bom","cbom","cpe","cyclonedx","license","machine-learning","mbom","owasp","saasbom","sbom","software","software-bill-of-materials","spdx","specification","standard","supply-chain","swid","tc54","vex"],"created_at":"2024-08-03T02:00:37.132Z","updated_at":"2025-05-08T00:31:10.140Z","avatar_url":"https://github.com/CycloneDX.png","language":"XSLT","readme":"[![Build Docs](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/build_docs.yml)\n[![CT Java](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_java.yml)\n[![CT JavaScript](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_js.yml)\n[![CT PHP](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_php.yml)\n[![CT ProtoBuf](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml/badge.svg)](https://github.com/CycloneDX/specification/actions/workflows/test_proto.yml)  \n[![License][license-image]][license-url]\n[![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)\n[![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack\u0026labelColor=393939)](https://cyclonedx.org/slack/invite)\n[![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://groups.io/g/CycloneDX)\n[![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social\u0026label=Follow)](https://twitter.com/CycloneDX_Spec)\n[![ECMA TC54](https://img.shields.io/badge/ECMA-TC54-FC7C00?labelColor=404040)](https://tc54.org)\n\n\n# CycloneDX Bill of Materials Specification (ECMA-424)\nOWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for \ncyber risk reduction. CycloneDX is an [Ecma International](https://ecma-international.org/) standard published as \n[ECMA-424](https://ecma-international.org/publications-and-standards/standards/ecma-424/). \nThe [OWASP Foundation](https://owasp.org/) and Ecma International [Technical Committee for Software \u0026 System Transparency (TC54)](https://tc54.org/) \ndrive the continued advancement of the specification.\n\nThe specification supports:\n* Software Bill of Materials (SBOM)\n* Software-as-a-Service Bill of Materials (SaaSBOM)\n* Hardware Bill of Materials (HBOM)\n* Machine Learning Bill of Materials (ML-BOM)\n* Cryptography Bill of Materials (CBOM)\n* Manufacturing Bill of Materials (MBOM)\n* Operations Bill of Materials (OBOM)\n* Vulnerability Disclosure Reports (VDR)\n* Vulnerability Exploitability eXchange (VEX)\n* CycloneDX Attestations (CDXA)\n\n## A Note on the Standard and Schemas\nCycloneDX is an Ecma International standard published as ECMA-424 under a [royalty-free patent policy](https://ecma-international.org/policies/by-ipr/royalty-free-patent-policy-extension-option/). \nThe CycloneDX schemas in this repository are the official interpretations of the standard and are available under the\n[Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0.txt). The JSON Schema is the reference implementation \nfor the standard.\n\n## Use Cases\nThe CycloneDX project maintains a [list of achievable use cases](https://cyclonedx.org/use-cases/). Examples for each\nuse case are provided in both XML and JSON.\n\n\n## Tool Center\nThe [CycloneDX Tool Center](https://cyclonedx.org/tool-center/) is a community effort to establish a marketplace of \nfree, open source, and proprietary tools and solutions that support the CycloneDX specification. \n\n\n## Media Types\n\nThe following media types are officially registered with IANA:\n\n| Media Type | Format | Assignment |\n|------------|--------|------------|\n| `application/vnd.cyclonedx+xml` | XML | [IANA](https://www.iana.org/assignments/media-types/application/vnd.cyclonedx+xml) |\n| `application/vnd.cyclonedx+json` | JSON | [IANA](https://www.iana.org/assignments/media-types/application/vnd.cyclonedx+json) |\n| `application/x.vnd.cyclonedx+protobuf` | Protocol Buffer | |\n\nSpecific versions of CycloneDX can be specified by using the version parameter. For example: `application/vnd.cyclonedx+xml; version=1.6`.\n\n\n## Recognized file patterns\n\nThe following file names are conventionally used for storing CycloneDX BOM files:\n* `bom.json` for JSON encoded CycloneDX BOM files.\n* `bom.xml` for XML encoded CycloneDX BOM files.\n\nAlternatively, files that match the glob pattern below are also recognized:\n* `*.cdx.json` for JSON encoded CycloneDX BOM files.\n* `*.cdx.xml` for XML encoded CycloneDX BOM files.\n    \n\n## Release History\n\n| Version           | Release Date    |\n|-------------------|-----------------|\n| CycloneDX 1.6     | 09 April 2024   |\n| CycloneDX 1.5     | 26 June 2023    |\n| CycloneDX 1.4     | 12 January 2022 |\n| CycloneDX 1.3     | 04 May 2021     |\n| CycloneDX 1.2     | 26 May 2020     |\n| CycloneDX 1.1     | 03 March 2019   |\n| CycloneDX 1.0     | 26 March 2018   |\n| Initial Prototype | 01 May 2017     |\n\n\n## Copyright \u0026 License\n\nCycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved.\n\nPermission to modify and redistribute is granted under the terms of the [Apache License 2.0][license-url]\n\n[license-image]: https://img.shields.io/badge/license-apache%20v2-brightgreen.svg\n[license-url]: https://github.com/CycloneDX/specification/blob/master/LICENSE\n","funding_links":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"],"categories":["Official projects","XSLT","software"],"sub_categories":["Repositories"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fspecification","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCycloneDX%2Fspecification","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fspecification/lists"}