CycloneDX

CycloneDX is an open-standard Software Bill of Materials (SBOM) format maintained by the OWASP (Open Web Application Security Project) Foundation. It represents the components that make up a software product — including libraries, frameworks, operating system packages, and firmware — along with their versions, package URLs (PURLs), cryptographic hashes, and licence information. CycloneDX supports JSON, XML, and Protocol Buffers serialisation and is designed for machine-readable processing by vulnerability management tools, software composition analysis platforms, and supply chain security systems. CycloneDX goes beyond a pure inventory format: it explicitly supports VEX (Vulnerability Exploitability eXchange) documents, service dependencies, hardware component inventories, and cryptographic bill of materials (CBOM) — making it particularly comprehensive for CRA technical documentation purposes.

The CRA's Annex VII requires manufacturers to include an SBOM in their technical documentation file. CycloneDX satisfies this requirement and provides capabilities that facilitate broader CRA compliance:

• Component inventory: Lists all software components with versions and PURLs, supporting SBOM-based CVE correlation.
• VEX integration: CycloneDX natively embeds VEX statements within the SBOM, allowing manufacturers to assert which CVEs do not affect the product — reducing alert noise for users.
• License compliance: Tracks component licences, supporting intellectual property management alongside security obligations.
• Hash verification: Cryptographic hashes for each component enable integrity verification, supporting the CRA's supply chain security requirements.
• Composition completeness: CycloneDX includes a 'completeness' field indicating how thoroughly the SBOM captures all components, helping MSAs assess the file's reliability as evidence.

CycloneDX and SPDX are both well-supported SBOM standards. Key differences:

• Focus: CycloneDX emphasises security and vulnerability management — it has richer native support for VEX, services, and security-relevant metadata. SPDX emphasises licence compliance and provenance — it has deeper support for licence expression and copyright information.
• Adoption: CycloneDX has strong adoption in the vulnerability management and PSIRT community. SPDX has stronger adoption in open source legal compliance contexts.
• NTIA minimum elements: Both formats satisfy the US NTIA minimum SBOM elements; both are being considered for EU CRA compliance purposes.

For CRA compliance, CycloneDX is generally preferred for manufacturers whose primary SBOM use case is vulnerability management. SPDX is preferred when licence compliance is the primary driver. Many organisations generate both.

CycloneDX SBOMs can be generated using open-source and commercial tooling:

• Language-specific tools: The CycloneDX project maintains open-source plugins for Maven, Gradle, npm, Python pip, Go modules, .NET, and others — each capable of generating a CycloneDX SBOM for the respective language ecosystem's dependencies.
• Container scanning: Tools such as Syft (Anchore) generate CycloneDX SBOMs from container images, capturing all OS packages and language dependencies in the image layer.
• IDE integration: Many modern IDEs and CI/CD platforms integrate CycloneDX generation into build pipelines, enabling automatic SBOM generation on every release.
• Dependency-Track: OWASP Dependency-Track natively consumes CycloneDX SBOMs and provides continuous vulnerability monitoring, making it a natural companion to CycloneDX generation tooling.