On April 9, 2024, the OWASP CycloneDX project announced the release of version 1.6 of their industry-leading bill of materials specification as well as several new or updated best practices documents for practitioners. As with many prior releases, CycloneDX 1.6 continues to expand its support for a wide range of supply chain risk management activities beyond only software bill of materials (SBOMs)

As a reminder, CycloneDX is one of the two primary SBOM options available to organizations seeking to comply with U.S. Executive Order 14028 and other supporting frameworks requiring software component transparency. In the past, CycloneDX has added hardware bill of materials (HBOM), VEX and VDR support for vulnerability reporting, SaaSBOM to describe services and APIs, OBOM or Operational BOM to describe application configurations, and much more.

In this latest release, CycloneDX sets the stage for the specification to begin the process for standardization through Ecma TC54 and adds additional capabilities for Cryptographic BOM, Machine Learning BOM enhancements, and Attestation support. 

We will get into those features below, but before we do, it’s important to understand the state of these SBOM specifications. CycloneDX previously received pushback from some in industry due to the lack of governance in their process and the rapid speed at which they have expanded the format. The schema for CycloneDX has grown quite large (at 5673 lines in the 1.6 JSON schema), but, likewise, so has the utility of the project. And, Ecma TC54 adoption now gives CycloneDX the ability to align more closely with SPDX from a standards maturity standpoint while still retaining all the amazing work that has gone into it so far.

Cryptographic BOM (CBOM)

Initially developed by IBM Research — and not to be confused with a Configurable BOM or a Cybersecurity BOM (we sure do love our BOM acronyms!) — CBOMs capture cryptographic assets. These include cryptographic algorithms, protocols, certificates, and other cryptographic metadata, including implementation details and lifecycle status. As a fully featured inventory of this information, CBOM allows development and cybersecurity teams to understand the specifics of how cryptography is used in an application and where weaknesses that can lead to security breaches might occur. 

As an example, if we look back to some of the TLS-related weaknesses in the past, capturing this information could have allowed for much faster remediation of issues such as Heartbleed, where sensitive data could be disclosed through abuse of vulnerable ciphers. And, as we collectively move toward advances in quantum-resistant cryptography, this creates opportunities to establish assurance practices aligned with NIST-approved ciphers for more robust cryptography.

Furthermore, recent guidance from the White House and CISA that have advocated for moving to quantum-resistant cryptography, such as M-23-02 and CISA’s Post Quantum Cryptography Initiative, are well supported by this approach. This marks the first instance of a structured and machine-readable inventory of cryptographic data, and since it is captured in the SBOM, creates the opportunity for correlation to software, services, vulnerabilities, and any other object that CycloneDX natively supports.

CycloneDX Attestations (CDXA)

Continuing with the list of major improvements for software supply chain assurance is the addition of CycloneDX Attestations, or CDXA, in CycloneDX 1.6. Long seen as the perfect marriage with SBOM by many, there was never a standardized and uniform way to represent this information in a single format. Attestations provide the ability to state conformance with regulatory requirements using the concept of “compliance as code,” and perhaps more importantly, claims about the security processes employed in the pipeline supported by evidence and digitally signed for authenticity.

This creates the ability to support multiple regulatory requirements, such as: 

Machine Learning BOM (MLBOM) Enhancements

Building on MLBOM in CycloneDX 1.5, which added the ability to capture information about ML and AI models and supporting metadata, 1.6 further enhances these capabilities. Version 1.5 already supported an inventory of machine learning models, their intended use, any parent models, limitations, and ethical considerations, as well as the hardware, software, and libraries needed to run the model. Adding environmental factors such as energy consumption and CO2 emissions into MLBOM allows for continued ecological practices for AI in an era where this technology is beginning to outpace energy consumption demand models for the grid.

CycloneDX Authoritative Guides

In addition to all the new features in CycloneDX 1.6, the CDX project released three comprehensive documents: a second-edition update to the Authoritative Guide on SBOM that was released with version 1.5, and two new documents. 

One is the accompanying CycloneDX Authoritative Guide to CBOM, which includes detailed information on the data model, use cases, and multiple examples of how to capture cryptographic data in a CBOM. The second is a very similar companion document, CycloneDX Authoritative Guide to Attestations

With these two new documents, users of the CycloneDX specification will have concrete references for how to produce BOMs that convey this information and develop their own standards for inclusion into CDXA. The documents also provide valuable guidance for SBOM management vendors such as FOSSA. 

As always, FOSSA will continue to cover the latest developments in the SBOM world on our blog, so stay tuned. And, if your organization is looking for support automating any part of the SBOM lifecycle (generation, ingestion, analysis, distribution, VEX, and so on), please reach out to the FOSSA team.