My talk from the FOSDEM Software Composition Analysis devroom. A quick intro to CycloneDX, some comments on the current vulnerability extension and some suggested improvements.
Open Source under Apache 2.0 - Tools for generating SBoMs for Maven, Gradle, .NET, Node, Rust, Python, PHP, Ruby and Cocoapods - cyclonedx.org and github.com/CycloneDX CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
ecosystem - Specification should be machine readable - Specification should be easy to implement with minimal effort - Specification should be simple and performant to parse - Specification should provide lightweight schema definitions for JSON and XML - Specification should reuse parts of existing specs where beneficial - Specification should be extensible to support specialized and future use cases - Specification should be decentralized, authoritative, and security focused - Specification should promote continuous component analysis - Should support hardware, libraries, frameworks, applications, containers, and operating systems
garethr
coincheck_recruit
hogelog
negi111111
kakehashi
cmusudakeisuke
iotengineer22
bbrbbq
fullkaiten
ryder472
onk
ysknsid25
miu_crescent
mongodb
kneath
hannesfritz
afnizarnur
marcduiker
garrettdimon
marktimemedia
morganepeng
kevinliebholz
destraynor
danielanewman
akosma
