Inferensys

Glossary

CycloneDX

A lightweight, standards-based Bill of Materials specification designed for use in application security contexts and supply chain component analysis, supporting SBOM, SaaSBOM, and OBOM.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.
OWASP BOM STANDARD

What is CycloneDX?

CycloneDX is a lightweight, open-source Bill of Materials (BOM) specification designed for application security contexts and supply chain component analysis, supporting SBOM, SaaSBOM, and OBOM use cases.

CycloneDX is an open-source standard governed by the OWASP Foundation that defines a machine-readable format for creating Bills of Materials across software, services, and hardware. Originating in the application security community, it enables organizations to inventory every component—including transitive dependencies—within a system, providing a structured JSON or XML document that facilitates precise vulnerability identification and license compliance tracking.

Unlike monolithic inventory lists, CycloneDX captures complex dependency graphs and pedigree metadata, linking components to their cryptographic hashes and provenance records. It interoperates with tools like Dependency-Track for continuous monitoring and aligns with SLSA and SPDX to enforce supply chain integrity, making it a foundational element for DevSecOps pipelines requiring automated, standards-based risk analysis.

THE BOM STANDARD

Key Features of CycloneDX

CycloneDX is a lightweight, open-source Bill of Materials (BOM) standard designed for application security and supply chain component analysis. It supports multiple BOM types including SBOM, SaaSBOM, and OBOM.

02

Dependency Graph Modeling

CycloneDX captures the complete transitive dependency graph of a component, not just a flat list. The specification models:

  • Direct dependencies: Components explicitly declared by the project
  • Transitive dependencies: Nested dependencies pulled in automatically by direct components
  • Dependency relationships: Explicit dependsOn edges that map the exact graph structure

This graph representation enables precise blast radius analysis—when a vulnerability is disclosed in a deeply nested library, tools can instantly trace every affected application path. The graph also supports pedigree tracking, documenting the lineage and provenance of each component.

03

Vulnerability Exploitability eXchange (VEX) Integration

CycloneDX natively incorporates VEX (Vulnerability Exploitability eXchange) data directly within the BOM document. This allows software suppliers to communicate the exploitability status of known vulnerabilities:

  • Not Affected: The vulnerability exists in the component but is not exploitable due to how it is used
  • Affected: The vulnerability is present and exploitable; remediation is required
  • Fixed: The vulnerability has been addressed in a specific version
  • Under Investigation: The supplier is still determining exploitability

Embedding VEX data eliminates the false positive fatigue that plagues security teams using traditional SCA tools, reducing alert noise by up to 40%.

04

Cryptographic Signature & Integrity Verification

CycloneDX BOMs can be cryptographically signed using JSON Web Signatures (JWS) or XML Digital Signatures, providing:

  • Non-repudiation: The BOM author's identity is verifiable through their signing key
  • Tamper detection: Any modification to the BOM after signing invalidates the signature
  • Chain of custody: Signatures can be chained to show each entity that handled the artifact

Integration with Sigstore and Cosign enables keyless signing workflows tied to OIDC identities, making automated BOM signing practical in CI/CD pipelines without managing long-lived private keys.

05

License Compliance Automation

CycloneDX provides a structured, machine-readable license inventory for every component in the BOM:

  • Supports SPDX license expressions (e.g., MIT AND Apache-2.0)
  • Captures license evidence—the actual text or file path where the license was detected
  • Models license acknowledgments for components requiring attribution
  • Tracks commercial license terms alongside open-source licenses

This structured license data enables automated policy enforcement. A build pipeline can reject any component with a GPL-3.0 license if the organization's policy prohibits copyleft licenses, without manual legal review.

06

Extensible Component Taxonomy

CycloneDX classifies components using a rich, extensible taxonomy that goes beyond simple package names:

  • Component type: application, framework, library, container, operating-system, device, firmware, file
  • Component scope: required, optional, excluded—indicating whether the component is mandatory for functionality
  • External references: URLs to VCS repositories, issue trackers, build systems, documentation, and distribution channels
  • Custom properties: Arbitrary key-value pairs for organization-specific metadata

This taxonomy enables granular policy filtering—for example, flagging all optional components that are out-of-support for immediate removal.

CYCLONEDX EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the CycloneDX Bill of Materials standard, its structure, and its role in securing the AI supply chain.

CycloneDX is a lightweight, open-source Bill of Materials (BOM) standard designed specifically for application security and supply chain component analysis. It works by providing a machine-readable, structured inventory of all components that constitute a software artifact, including their dependencies, licenses, and known vulnerabilities. Originating from the OWASP community, it has evolved beyond a pure Software Bill of Materials (SBOM) to support multiple BOM types, including SaaSBOM for services and OBOM for operational technology. The specification defines objects in JSON, XML, or Protocol Buffers, allowing automated tools to ingest and analyze the composition of a system to identify risks like outdated libraries or license conflicts before deployment.

SBOM STANDARD SELECTION

CycloneDX vs. SPDX: A Comparison

A technical comparison of the two dominant Bill of Materials standards for software supply chain security and license compliance.

FeatureCycloneDXSPDX

Primary Focus

Security & vulnerability management

License compliance & IP management

Governing Body

OWASP Foundation

Linux Foundation

Current Version

1.5

3.0

Native BOM Types

SBOM, SaaSBOM, OBOM, HBOM, VDR, VEX

SBOM

Serialization Formats

JSON, XML, Protocol Buffers

JSON, YAML, RDF/XML, Tag-Value, Spreadsheet

Vulnerability Data

Pedigree & Provenance

Cryptographic Signing

Envelope signature (JSON Web Signature)

Envelope signature (Detached ASCII Armor)

License Expression Syntax

SPDX License Expressions

SPDX License Expressions (native)

Maturity Level (ISO)

ECMA-424 (Standard)

ISO/IEC 5962:2021 (Standard)

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.