CycloneDX v1.6 has become an ECMA Standard. The decision was taken by the ECMA General Assembly June 26, 2024. This is important for all the work going on with worldwide regulations requiring vendors to assume more responsibility for their user’s security, making sure their software is secure by design and that all vulnerabilities in their own code and third party code is fixed in due time.
The software bill of materials (SBOM) is at the heart of this process. But CycloneDX covers so much more, it’s a language to describe many features related to software and hardware transparency. Version 1.6 added Cryptography Bill of Materials (CBOM) to the specification, making the transition to post-quantum crypto more manageable.
OWASP has become members of ECMA and created the ECMA TC54 task group to standardise not only CycloneDX, but also the Transparency Exchange API (TEA) and PURL software identifiers.
Read more on the OWASP CycloneDX web site: