This Standard defines the CycloneDX v1.7 Bill of materials specification, which defines a structured format for representing detailed inventory information of software and hardware components, services, dependencies, vulnerabilities, cryptographic artefacts, machine learning models, and other elements relevant to supply chain transparency and cybersecurity assurance.
This Standard specifies the syntax and semantics for:
- describing software and hardware components, services, dependencies, vulnerabilities, and compositions;
- expressing metadata, annotations, external references, lifecycle context, and formulation processes;
- supporting domain-specific modelling for cryptographic artefacts and machine learning models;
- asserting claims, attestations, and supporting evidence for conformance to standards or requirements;
- documenting open-source and commercial licensing and other artefacts supporting software transparency and risk analysis.
The BOM is serialised using a machine-readable JSON format and is intended for exchange across tools, systems, and stakeholders within software and hardware supply chains.
Archives
- ECMA-424, 1st edition, June 2024Download