What is CycloneDX?
Updated
OWASP-led SBOM/AIBOM standard. CycloneDX 1.6 (2024) added machine-learning-model component type.
Full explanation
CycloneDX is one of two major SBOM formats (the other is SPDX). 1.6 added AI-specific extensions: machine-learning-model component, modelCard sub-fields (datasets, performanceMetrics, ethicalConsiderations, considerations).
Example
Most modern SBOM/AIBOM generators emit CycloneDX 1.6; the format can be embedded in DSSE envelopes for signed supply-chain provenance.
Related
FAQ
CycloneDX vs SPDX for AIBOM?
CycloneDX 1.6 has more mature AI extensions today. SPDX 3 has equivalent but tooling lags.