GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → CycloneDX → specification

CycloneDX / specification

Licence: Apache-2.0 License
Software Bill of Material (SBOM) standard designed for use in application security contexts and supply chain component analysis

Programming Languages

XSLT
1337 projects
HTML
75241 projects
java
68154 projects - #9 most used programming language
CSS
56736 projects
javascript
184084 projects - #8 most used programming language
shell
77523 projects
PHP
23972 projects - #3 most used programming language

Labels

componentsupply-chainowaspspecificationstandardbomsoftwarevexlicensespdxcpesoftware-securityswidbill-of-materialssoftware-bill-of-materialssbomcyclonedxobommbomsaasbom

Projects that are alternatives of or similar to specification

cyclonedx-cli
CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
Stars: ✭ 154 (+19.38%)
Mutual labels:  owasp, bom, vex, spdx, bill-of-materials, software-bill-of-materials, sbom, cyclonedx, obom, mbom, saasbom
cyclonedx-python
Creates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.
Stars: ✭ 78 (-39.53%)
Mutual labels:  owasp, bom, vex, spdx, bill-of-materials, software-bill-of-materials, sbom, cyclonedx, obom, mbom, saasbom
cyclonedx-php-composer
Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
Stars: ✭ 20 (-84.5%)
Mutual labels:  owasp, bom, vex, spdx, bill-of-materials, software-bill-of-materials, sbom, cyclonedx, obom, mbom, saasbom
cyclonedx-maven-plugin
Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
Stars: ✭ 103 (-20.16%)
Mutual labels:  owasp, bom, vex, spdx, bill-of-materials, software-bill-of-materials, sbom, cyclonedx, obom, mbom, saasbom
cyclonedx-dotnet
Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
Stars: ✭ 110 (-14.73%)
Mutual labels:  owasp, bom, vex, spdx, bill-of-materials, software-bill-of-materials, sbom, cyclonedx, obom, mbom, saasbom
cyclonedx-gomod
Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
Stars: ✭ 27 (-79.07%)
Mutual labels:  owasp, bom, vex, bill-of-materials, software-bill-of-materials, sbom, obom, mbom, saasbom
cyclonedx-node-module
creates CycloneDX Software Bill of Materials (SBOM) from node-based projects
Stars: ✭ 104 (-19.38%)
Mutual labels:  bom, software-bill-of-materials, sbom, cyclonedx
scancode.io
ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!
Stars: ✭ 66 (-48.84%)
Mutual labels:  license, spdx, cyclonedx
cdxgen
Creates CycloneDX Software Bill-of-Materials (SBOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI//CD pipeline with automatic submission to Dependency Track server.
Stars: ✭ 75 (-41.86%)
Mutual labels:  bom, sbom, cyclonedx
dep-scan
Fully open-source security audit for project dependencies based on known vulnerabilities and advisories. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI and Google CloudBuild. No server required!
Stars: ✭ 346 (+168.22%)
Mutual labels:  vex, sbom, cyclonedx
zap-sonar-plugin
Integrates OWASP Zed Attack Proxy reports into SonarQube
Stars: ✭ 66 (-48.84%)
Mutual labels:  owasp, software-security
SBOM
Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
Stars: ✭ 38 (-70.54%)
Mutual labels:  bill-of-materials, sbom
BrAPI
Repository for version control of the BrAPI specifications
Stars: ✭ 50 (-61.24%)
Mutual labels:  specification, standard
security-policy-specification-standard
This document proposes a way of standardising the structure, language, and grammar used in security policies.
Stars: ✭ 24 (-81.4%)
Mutual labels:  specification, standard
awesome-sbom
A curated list of SBOM (Software Bill Of Materials) related tools, frameworks, blogs, podcasts, and articles
Stars: ✭ 164 (+27.13%)
Mutual labels:  software-bill-of-materials, sbom
standard-components
A specification for functional UI components
Stars: ✭ 52 (-59.69%)
Mutual labels:  specification, standard
dependency-check-plugin
Jenkins plugin for OWASP Dependency-Check. Inspects project components for known vulnerabilities (e.g. CVEs).
Stars: ✭ 107 (-17.05%)
Mutual labels:  owasp, software-security
OpossumUI
A light-weight app to audit and inventory large codebases for open source license compliance.
Stars: ✭ 32 (-75.19%)
Mutual labels:  spdx, software-bill-of-materials
biolink-model
Schema and generated objects for biolink data model and upper ontology
Stars: ✭ 83 (-35.66%)
Mutual labels:  specification, standard
shared-row
This is an open data specification for describing the right-of-way (ROW) for street centerline networks. It is intended to establish a common set of attributes (schema) to describe how space is allocated along a streets right of way from sidewalk edge to sidewalk edge.
Stars: ✭ 16 (-87.6%)
Mutual labels:  specification, standard
View All Similar Projects ➔

Build Status License Website Slack Invite Group Discussion Twitter

CycloneDX Specification

CycloneDX is a lightweight Software Bill of Materials (SBOM) specification designed for use in application security contexts and supply chain component analysis.

Introduction

Modern software is assembled using third-party and open source components, glued together in complex and unique ways, and integrated with original code to achieve the desired functionality. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis.

CycloneDX was created for this purpose.

Strategic direction and maintenance of the specification is managed by the CycloneDX Core working group, with origins in the OWASP community.

Use Cases

The CycloneDX project maintains a list of achievable use cases. Examples for each use case are provided in both XML and JSON.

Tool Center

The CycloneDX Tool Center is a community effort to establish a marketplace of free, open source, and proprietary tools and solutions that support the CycloneDX specification.

Media Types

The following media types are officially registered with IANA:

Media Type Format Assignment
application/vnd.cyclonedx+xml XML IANA
application/vnd.cyclonedx+json JSON IANA

Specific versions of CycloneDX can be specified by using the version parameter. i.e. application/vnd.cyclonedx+xml; version=1.3.

The officially supported media type for Protocol Buffer format is application/x.vnd.cyclonedx+protobuf.

Release History

Version Release Date
CycloneDX 1.4 12 January 2022
CycloneDX 1.3 04 May 2021
CycloneDX 1.2 26 May 2020
CycloneDX 1.1 03 March 2019
CycloneDX 1.0 26 March 2018
Initial Prototype 01 May 2017

Related Work

SPDX (Software Package Data Exchange) is a specification that provides low-level details of components, including all files, hashes, authors, and copyrights. SPDX also defines over 300 open source license IDs. CycloneDX builds on top of the work SPDX has accomplished with license IDs, but varies greatly in its approach towards building a software bill of material specification.

SWID (ISO/IEC 19770-2:2015) is used primarily to identify installed software and is the preferred format of the NVD. SWID tags are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification compliments this work as CycloneDX documents can incorporate SWID tags and other high-level SWID metadata and optionally include entire SWID documents. Use of SWID tag ID's are useful in determining if a specific component has known vulnerabilities.

CPE (Common Platform Enumeration) is a specification that describes the vendor, name, and version for an application, operating system, or hardware device. CPE identifiers are used in the National Vulnerability Database to describe vulnerable components. The CycloneDX specification compliments this work as CycloneDX documents can easily be used to construct exact CPE identifiers that are useful in determining if a specific component has known vulnerabilities.

Copyright & License

CycloneDX Specification is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache License 2.0

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].