cyclonedx
Safeguard articles tagged "cyclonedx" — guides, analysis, and best practices for software supply chain and application security.
71 articles
Generating and exporting a software bill of materials in AWS
A practical walkthrough for generating and exporting an AWS SBOM using Inspector and ECR -- plus troubleshooting tips and how Safeguard helps.
CycloneDX ML-BOM in 1.7: Implementation Guide
CycloneDX 1.7 was published in October 2025 and adopted by the General Assembly in December. We unpack what the ML-BOM capability means in practice for AI inventory.
CycloneDX 1.7 Ratified as ECMA-424 2nd Edition (December 2025)
CycloneDX v1.7 was adopted as ECMA-424, 2nd Edition by the Ecma General Assembly in December 2025. We unpack citations, cryptographic assets, and distribution constraints.
CycloneDX 1.7 Deep Dive: Cryptography, Citations, and Patents
CycloneDX 1.7 released in October 2025 with first-class cryptography metadata, a new Citations element, and patent-aware IP fields. We walk through what changed and which producers should adopt now.
Best open source SBOM generation tools
A practical, no-hype comparison of open source SBOM generation tools — Syft, Trivy, cdxgen, Microsoft sbom-tool, SPDX Tools, and Tern — plus what to check before you pick one.
Syft v1.20 Release: Faster Scans, Smarter License Detection
Anchore's Syft v1.20 ships a refactored license cataloger, Bitnami SBOM passthrough, and a 2x speedup on filesystem scans. We tested the upgrade on five real codebases.
SBOM Interoperability: Bridging CycloneDX and SPDX
Your suppliers send SPDX. Your tools expect CycloneDX. Interoperability between SBOM formats is a real operational challenge. Here is how to solve it.
What Is a Software Ingredient Label?
Food gets an ingredient panel; software gets an SBOM. What a software ingredient label contains, who is demanding one, and how to generate yours automatically.
How Snyk Container generates a Software Bill of Materials...
How Snyk Container statically scans image layers, parses OS package databases and lockfiles, and exports CycloneDX/SPDX SBOMs — mechanically explained.
What is a Vulnerability Exploitability eXchange (VEX) Statement
A VEX statement is a machine-readable assertion of whether a product is actually affected by a CVE — the document that stops your customers from triaging your SBOM for you.
How Snyk AI-BOM generates a CycloneDX v1.6-compliant ML-BOM
How Snyk's aibom CLI uses static analysis to detect models, agents, and MCP servers, then maps them into a CycloneDX v1.6-compliant ML-BOM structure.
How Snyk AI-BOM's continuous refresh model differs from a...
How Snyk's AI-BOM keeps model and dataset inventories current through continuous refresh, and why that differs mechanically from a point-in-time static SBOM export.