Which CycloneDX version should we emit?

1.5 (2023) is the current widely-supported version; 1.6 adds further security enhancements. Avoid 1.3 and earlier.

Is CycloneDX a standard?

It is an OWASP standard and an ECMA International standard (ECMA-424). It is not yet an ISO standard the way SPDX is, but is widely adopted by industry and accepted by FDA.

All terms

CybersecurityConnected & Cyber-Physical Devices

CycloneDX

A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

CycloneDX is an OWASP-flagship SBOM specification designed to support application security, supply-chain risk, and license compliance use cases. CycloneDX supports first-class representation of components, services, dependencies, vulnerabilities, exploitability (VEX), formulation (build provenance), and ML model bill-of-materials (ML-BOM). It is one of the two SBOM formats explicitly accepted by FDA.

What the regulation says

FDA's 2023 cybersecurity guidance accepts CycloneDX as a valid SBOM format. CycloneDX is the more common choice in pure-security pipelines because it natively models VEX in the same file as the SBOM, simplifying continuous vulnerability disclosure to operators. CISA's SBOM minimum elements are fully expressible in CycloneDX.

What this means in practice

CycloneDX has become the default for CI/CD-generated SBOMs in MedTech because community tooling (Syft, cdxgen, the CycloneDX CLI) and integrations with Anchore, Snyk, and Dependency-Track are mature. The single-file SBOM+VEX model meaningfully reduces the operational burden of post-market vulnerability response.

Common pitfalls

•Producing CycloneDX without dependency relationships - that breaks transitive impact analysis.
•Using CycloneDX 1.4 when modern tooling expects 1.5/1.6.
•Skipping the BOM-Link / VEX block, forcing operators to maintain a separate exploitability feed.

Frequently asked questions

Yes. CycloneDX supports firmware, OS, library, framework, container, file, and operating-system component types - plus services and machine-learning models in newer versions.

Cross-references

Used by

Things that build on this term.

Software Bill of Materials(SBOM)

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

OWASP·1ECMA·1FDA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.

·CycloneDX has become the default for CI/CD-generated SBOMs in MedTech because community tooling (Syft, cdxgen, the CycloneDX CLI) and integrations with Anchore, Snyk, and Dependency-Track are mature.
·The single-file SBOM+VEX model meaningfully reduces the operational burden of post-market vulnerability response.
·CycloneDX supports first-class representation of components, services, dependencies, vulnerabilities, exploitability (VEX), formulation (build provenance), and ML model bill-of-materials (ML-BOM).

Remember this

Watch out: Producing CycloneDX without dependency relationships - that breaks transitive impact analysis.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.