CycloneDX
CycloneDX is an open SBOM (Software Bill of Materials) standard maintained by OWASP. It defines a JSON or XML format for cataloguing every open source component, dependency, and service in a software application — including their versions, licenses, and known vulnerabilities. CycloneDX is one of the two main SBOM formats (alongside SPDX) and is widely supported by SCA tools and CI/CD pipelines.
Why CycloneDX matters
When Log4Shell hit in December 2021, organizations scrambled to find every system running vulnerable Log4j. Teams with SBOM inventories could query them in minutes. Teams without took days or weeks of manual audit. That incident accelerated SBOM adoption significantly.
The US executive order on cybersecurity (2021) and EU Cyber Resilience Act (2025) both reference SBOMs as a requirement for software sold to government and certain markets. CycloneDX is one of the two accepted formats.
How to generate a CycloneDX SBOM
# npm projects npx @cyclonedx/cyclonedx-npm --output-file sbom.json # Python pip install cyclonedx-bom cyclonedx-bom -o sbom.json # All ecosystems (using syft) syft . -o cyclonedx-json > sbom.json # Java/Maven mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
CycloneDX vs SPDX
Both are widely accepted SBOM formats. CycloneDX (OWASP) was designed with security use cases first — it has richer vulnerability data support. SPDX (Linux Foundation) was designed with license compliance first. For security tooling, CycloneDX is usually the better choice. Many tools support both.
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser