CycloneDX Bill of materials specification

Toggle shortcuts help?
Toggle "can call user code" annotationsu
Navigate to/from multipagem
Jump to search box/
Toggle pinning of the current clausep
Jump to the n^th pin1-9
Jump to the 10^th pin0
Jump to the most recent link target`

1 Scope

This Standard defines the CycloneDX v1.7 Bill of Materials (BOM) specification, which defines a structured format for representing detailed inventory information of software and hardware components, services, dependencies, vulnerabilities, cryptographic artefacts, machine learning models, and other elements relevant to supply chain transparency and cybersecurity assurance.

This Standard specifies the syntax and semantics for:

describing software and hardware components, services, dependencies, vulnerabilities, and compositions;

expressing metadata, annotations, external references, lifecycle context, and formulation processes;

supporting domain-specific modelling for cryptographic artefacts and machine learning models;

asserting claims, attestations, and supporting evidence for conformance to standards or requirements;

documenting open-source and commercial licensing and other artefacts supporting software transparency and risk analysis.

The BOM is serialised using a machine-readable JSON format and is intended for exchange across tools, systems, and stakeholders within software and hardware supply chains.

Note 1

BOMs conforming to this standard may be produced manually or generated by automated tools during any phase of the system or software lifecycle.

Note 2

This standard does not define enforcement mechanisms for verifying the accuracy or completeness of a BOM, nor does it prescribe a specific transport mechanism for exchanging BOMs.