Standard ECMA-424
2nd Edition / December 2025
CycloneDX Bill of materials specification
About this specification
The document at https://tc54.org/ecma424/ is the most accurate and up-to-date CycloneDX specification.
This document is available as a single page and as multiple pages.
Contributing to this specification
This specification is developed on GitHub with the help of the OWASP community. There are a number of ways to contribute to the development of this specification:
- GitHub Repository: https://github.com/Ecma-TC54/ECMA-424
- Issues: All Issues, File a New Issue
- Pull Requests: All Pull Requests, Create a New Pull Request
- Editors:
- Community:
- Chat: Slack Workspace
Refer to the
Introduction
CycloneDX is a modern standard designed to address the complexities of the software and system supply chain. Originating in 2017, CycloneDX has grown into a general-purpose Bill of Materials (BOM) standard capable of representing various types of inventories, including software, hardware, and services. CycloneDX continuously evolves to meet the changing needs of the industry, incorporating new features and improvements to stay ahead of emerging challenges.
The design philosophy of CycloneDX emphasizes simplicity and ease of use, making it accessible to both technical and non-technical stakeholders. Despite its straightforward design, CycloneDX is a full-stack BOM format with advanced capabilities. Its guiding principles include easy adoption, rapid risk identification, continuous improvement, and high degrees of automation and extensibility.
CycloneDX plays a crucial role in enhancing software and system transparency, providing detailed information about the components used in an application, including their versions, suppliers, and dependencies. This transparency is essential for identifying and managing risks, ensuring regulatory compliance, and building trust in both software and hardware systems. By offering a comprehensive and standardized way to document these components, CycloneDX enables organizations to achieve greater security and reliability in their supply chains, supporting a wide range of use cases from product security to vendor risk management.
This Ecma Standard was developed by Technical Committee 54 and was adopted by the General Assembly of December 2025.