Software Bill of Materials (SBOM)


Inventory software components and services and the dependency relationships between them

Software Bill of Materials
Software-as-a-Service BOM
Vulnerability Exploitability Exchange
Hardware Bill of Materials
Operations Bill of Materials
Vulnerability Disclosure Report
Javascript Object Notation
Extensible Markup Language
Protocol Buffers

A complete and accurate inventory of all first-party and third-party components is essential for risk identification. BOMs should ideally contain all direct and transitive components and the dependency relationships between them.

CycloneDX far exceeds the Minimum Elements for Software Bill of Materials as defined by the National Telecommunications and Information Administration (NTIA) in response to U.S. Executive Order 14028.

Adopting CycloneDX allows organizations to quickly meet these minimum requirements and mature into using more sophisticated use cases over time. CycloneDX is capable of achieving all SBOM requirements defined in the OWASP Software Component Verification Standard (SCVS).

High-Level Object Model

CycloneDX can represent any type of software component along with services the software relies on. Refer to Use Cases for details on the many possibilities that exist for beginner, intermediate, and advanced SBOM use cases.

CycloneDX Object Model Swimlane


BOMs demonstrating SBOM capabilities can be found at

See also

Additional Capabilities

CycloneDX Supporters

Contrast Security
Ecma International
Fortress Information Security
Lockheed Martin