CycloneDX is an open-source standard governed by the OWASP Foundation that defines a machine-readable format for creating Bills of Materials across software, services, and hardware. Originating in the application security community, it enables organizations to inventory every component—including transitive dependencies—within a system, providing a structured JSON or XML document that facilitates precise vulnerability identification and license compliance tracking.
Glossary
CycloneDX

What is CycloneDX?
CycloneDX is a lightweight, open-source Bill of Materials (BOM) specification designed for application security contexts and supply chain component analysis, supporting SBOM, SaaSBOM, and OBOM use cases.
Unlike monolithic inventory lists, CycloneDX captures complex dependency graphs and pedigree metadata, linking components to their cryptographic hashes and provenance records. It interoperates with tools like Dependency-Track for continuous monitoring and aligns with SLSA and SPDX to enforce supply chain integrity, making it a foundational element for DevSecOps pipelines requiring automated, standards-based risk analysis.
Key Features of CycloneDX
CycloneDX is a lightweight, open-source Bill of Materials (BOM) standard designed for application security and supply chain component analysis. It supports multiple BOM types including SBOM, SaaSBOM, and OBOM.
Dependency Graph Modeling
CycloneDX captures the complete transitive dependency graph of a component, not just a flat list. The specification models:
- Direct dependencies: Components explicitly declared by the project
- Transitive dependencies: Nested dependencies pulled in automatically by direct components
- Dependency relationships: Explicit
dependsOnedges that map the exact graph structure
This graph representation enables precise blast radius analysis—when a vulnerability is disclosed in a deeply nested library, tools can instantly trace every affected application path. The graph also supports pedigree tracking, documenting the lineage and provenance of each component.
Vulnerability Exploitability eXchange (VEX) Integration
CycloneDX natively incorporates VEX (Vulnerability Exploitability eXchange) data directly within the BOM document. This allows software suppliers to communicate the exploitability status of known vulnerabilities:
- Not Affected: The vulnerability exists in the component but is not exploitable due to how it is used
- Affected: The vulnerability is present and exploitable; remediation is required
- Fixed: The vulnerability has been addressed in a specific version
- Under Investigation: The supplier is still determining exploitability
Embedding VEX data eliminates the false positive fatigue that plagues security teams using traditional SCA tools, reducing alert noise by up to 40%.
Cryptographic Signature & Integrity Verification
CycloneDX BOMs can be cryptographically signed using JSON Web Signatures (JWS) or XML Digital Signatures, providing:
- Non-repudiation: The BOM author's identity is verifiable through their signing key
- Tamper detection: Any modification to the BOM after signing invalidates the signature
- Chain of custody: Signatures can be chained to show each entity that handled the artifact
Integration with Sigstore and Cosign enables keyless signing workflows tied to OIDC identities, making automated BOM signing practical in CI/CD pipelines without managing long-lived private keys.
License Compliance Automation
CycloneDX provides a structured, machine-readable license inventory for every component in the BOM:
- Supports SPDX license expressions (e.g.,
MIT AND Apache-2.0) - Captures license evidence—the actual text or file path where the license was detected
- Models license acknowledgments for components requiring attribution
- Tracks commercial license terms alongside open-source licenses
This structured license data enables automated policy enforcement. A build pipeline can reject any component with a GPL-3.0 license if the organization's policy prohibits copyleft licenses, without manual legal review.
Extensible Component Taxonomy
CycloneDX classifies components using a rich, extensible taxonomy that goes beyond simple package names:
- Component type:
application,framework,library,container,operating-system,device,firmware,file - Component scope:
required,optional,excluded—indicating whether the component is mandatory for functionality - External references: URLs to VCS repositories, issue trackers, build systems, documentation, and distribution channels
- Custom properties: Arbitrary key-value pairs for organization-specific metadata
This taxonomy enables granular policy filtering—for example, flagging all optional components that are out-of-support for immediate removal.
Frequently Asked Questions
Clear, technical answers to the most common questions about the CycloneDX Bill of Materials standard, its structure, and its role in securing the AI supply chain.
CycloneDX is a lightweight, open-source Bill of Materials (BOM) standard designed specifically for application security and supply chain component analysis. It works by providing a machine-readable, structured inventory of all components that constitute a software artifact, including their dependencies, licenses, and known vulnerabilities. Originating from the OWASP community, it has evolved beyond a pure Software Bill of Materials (SBOM) to support multiple BOM types, including SaaSBOM for services and OBOM for operational technology. The specification defines objects in JSON, XML, or Protocol Buffers, allowing automated tools to ingest and analyze the composition of a system to identify risks like outdated libraries or license conflicts before deployment.
CycloneDX vs. SPDX: A Comparison
A technical comparison of the two dominant Bill of Materials standards for software supply chain security and license compliance.
| Feature | CycloneDX | SPDX |
|---|---|---|
Primary Focus | Security & vulnerability management | License compliance & IP management |
Governing Body | OWASP Foundation | Linux Foundation |
Current Version | 1.5 | 3.0 |
Native BOM Types | SBOM, SaaSBOM, OBOM, HBOM, VDR, VEX | SBOM |
Serialization Formats | JSON, XML, Protocol Buffers | JSON, YAML, RDF/XML, Tag-Value, Spreadsheet |
Vulnerability Data | ||
Pedigree & Provenance | ||
Cryptographic Signing | Envelope signature (JSON Web Signature) | Envelope signature (Detached ASCII Armor) |
License Expression Syntax | SPDX License Expressions | SPDX License Expressions (native) |
Maturity Level (ISO) | ECMA-424 (Standard) | ISO/IEC 5962:2021 (Standard) |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Key specifications, frameworks, and complementary standards that form the foundation of modern software supply chain security alongside CycloneDX.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us