CycloneDX
Definition
CycloneDX is a lightweight software bill of materials (SBOM) standard designed to improve the security and transparency of software supply chains. It provides a structured format for detailing the components, dependencies, and metadata of software applications, enabling organizations to identify vulnerabilities, manage licenses, and ensure compliance. CycloneDX is widely used in DevSecOps practices to facilitate the sharing and analysis of software component information across teams and tools.
Secure Settings Example
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "example-library",
"version": "1.0.0",
"licenses": [
{
"license": {
"id": "Apache-2.0"
}
}
],
"hashes": [
{
"alg": "SHA-256",
"content": "3a7bd3e2360a5e3b2f7b3e3a7bd3e2360a5e3b2f7b3e3a7bd3e2360a5e3b2f7"
}
]
}
]
}
Insecure Settings Example
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "example-library",
"version": "1.0.0"
// Missing license information and hashes
}
]
}