Sonatype Latest Press Releases & News | Sonatype

Sonatype Embraces CycloneDX Standard for Integrating Software Bills of Materials (SBOMs) | Sonatype

Written by Elissa Walters | May 13, 2021

CycloneDX API Creates Standardized Way to Integrate and Share SBOMs

May 13, 2021 -- Fulton, Md. -- Sonatype, the leader in developer-friendly tools for software supply chain management and security, today announced its support for the CycloneDX Software Bill of Materials (SBOM) standard, a lightweight specification designed for use in application security and software supply chain contexts.  Sonatype is proud to have assisted CycloneDX project organizers in defining the software industry’s first standard for automated SBOM data exchange.  Furthermore, Sonatype has utilized the CycloneDX standard to create an API that provides third-parties with an easy way to integrate and share SBOMs between Sonatype products and other systems.


“At Sonatype, we’ve long advocated that companies should have a software bill of materials to maximize transparency in support of application security and software supply chain integrity,” said Brian Fox, CTO of Sonatype. “With software supply chain attacks continuing to rise, the need for an industry-standard SBOM format has never been greater.  The CycloneDX project worked diligently with various stakeholders, including Sonatype, to establish a practical standard that will facilitate interoperability between systems and benefit the community at large.”

"We live in a multi-stack, polyglot world where software is produced using a wide range of tools and technologies. CycloneDX provides the interoperability so that all the stacks can share the same component and inventory information," said Steve Springett, Chair of the CycloneDX, Working Group. "The commitment to the CycloneDX SBOM standard is a tremendous advantage as it provides security-focused organizations access to a wide range of development and security tools.''

What is a Software Bill of Materials and Why Does Standardization Matter? 

In 2019, Gartner discussed the importance of SBOMs in the context of a Software Composition Analysis (SCA) stating: 

  • By 2024, the provision of a detailed, regularly updated software bill of materials by software vendors will be a non-negotiable requirement for at least half of enterprise software buyers, up from less than 5% in 2019.
  • By 2024, 60% of enterprises will automatically build a software bill of materials for all applications and services they create, up from less than 5% in 2019.

Today, fewer than 50% of companies produce SBOMs as a practice in software development.  The result of not having an SBOM means that companies are blind to known vulnerabilities, dependency relationships and much more. Without an SBOM, the process of tracking and tracing new vulnerabilities when they are announced is like conducting a scavenger hunt across hundreds or thousands of applications in an organization’s environment. With 10,000+ vulnerabilities announced annually, this is a daunting task for security teams.

Unlike a simple PDF, the CycloneDX standard makes SBOMs electronically actionable across industry participants and allows for easy sharing between systems, customers, partners, and regulators. 

For further information on how to connect with Sonatype’s CycloneDX API visit our support page

“As an early adopter of the CycloneDX API for integrating NeuVector with Sonatype Nexus Lifecycle, we recognize the importance of producing SBOM’s to enhance software security,” said Glen Kosaka, VP Product Management, NeuVector. “We look forward to continuing to support this important standard and contributing to its adoption and evolution.”

“With over 25 million open source users, we believe in the importance of an industry-standard format to enable accurate identification of software components to ensure security,” said Stephen Nolan, Head of Product, Anaconda. “We are innovating on our toolset to provide the CycloneDX SBOM format for our package metadata including license details, dependencies, and curated common vulnerability & exposure scores.”

About Sonatype: 

Sonatype is the leader in developer-friendly, full-spectrum software supply chain management providing organizations total control of their cloud-native development lifecycles, including third-party open source code, first-party source code, infrastructure as code, and containerized code. The company supports 70% of the Fortune 100 and its commercial and open source tools are trusted by 15 million developers around the world. With a vision to transform the way the world innovates, Sonatype helps organizations of all sizes build higher quality software that's more aligned with business needs, more maintainable, and more secure. 

Sonatype has been recognized by Fast Company as one of the Best Workplaces for Innovators in the world, two years in a row and has been named to the Deloitte Technology Fast 500 and Inc. 5000 list for the past five years. For more information, please visit Sonatype.com, or connect with us on Facebook, X, or LinkedIn.