cdx1 - Unlocking the Next Frontier in xBOM Analysis

If asked to name an incubator that has produced hundreds of projects and tens of highly valuable unicorns, one need only mention the OWASP Foundation. While many in the Western world erroneously assume that capital and investments lead to creativity and innovation, a vibrant community of passionate individuals offering their time and advice can have a similarly transformative effect.

As a small incubator project under OWASP, the CycloneDX Generator (cdxgen) team is constantly experimenting with new ideas and analysis techniques to simplify xBOMs for everyone. We pioneered a multi-analysis approach by combining static source code analysis with binary and container analysis to improve xBOM precision and recall. We released cdxgenGPT, a fully conversational AI bot designed to assist with your xBOM and cdxgen queries. Multiple user tests have confirmed that cdxgenGPT outperforms even the latest o3-mini-high when it comes to xBOM queries.

The truth is that xBOM generation remains an unsolved problem. Real-world applications require multiple formulation and workflow steps to build correctly—steps that may not even be documented or available in an automation-friendly manner. Automatically building arbitrary real-world applications and accurately generating build and post-build lifecycle SBOMs, OBOMs, and CBOMs further requires the creation of groundbreaking and truly innovative solutions.

We are excited to announce "cdx1," a family of open-source, SOTA machine learning (ML) models purpose-built for xBOM analysis, validation, and reasoning. cdx1 is trained on a custom, high-quality synthetic dataset called cdx-docs (open-source, CC-0), designed to mimic the expertise of a skilled professional in DevOps, xBOM, and CycloneDX. We generated accurate synthetic data using a teacher model, ensuring that cdx1 substantially surpasses its teacher in xBOM and CycloneDX-related QA capabilities. The cdx1 models and datasets are available today on HuggingFace and ollama.ai for experimentation and testing.

cdx1 delivers everything you expect from a 2025 model. We offer the models in various quantized formats, including mlx (Apple) and GGUF (ollama, koboldcpp, etc.). Our 8-bit models require around 16GB of VRAM (e.g., a 4090 or later) to achieve quality results with no additional thinking time. The 4-bit mlx version requires only 8GB of VRAM, allowing it to run entirely on an entry-level Mac Mini ($599). The 8-bit GGUF version can run on a CPU-only machine equipped with high-speed NVMe, achieving acceptable performance at 2 t/s. We aim to release the GA models with further improvements, along with ML-BOMs and a technical report, before OWASP Global AppSec EU 2025.

cdxgen v12, scheduled for release in May, will be the first open-source xBOM tool powered by cdx1. Users can expect significant improvements in build automation, troubleshooting, precision, recall, and reasoning. The AI/ML feature will remain an optional add-on, preventing the cdxgen CLI from becoming bloated.

Base model selection

We employed a test-driven development approach to select a base model. First, we created a synthetic dataset and test harness to fine-tune various models and evaluate their responses before choosing the one with the most potential. We evaluated models such as gemma2, the ibm-granite family, and qwen2.5. Ultimately, the winner was unsloth/phi-4 (MIT). Congratulations! Although the ibm-granite models—especially the new ibm-granite/granite-3.2-8b-instruct-preview—came very close, they performed poorly on our custom logic and reasoning tests. Phi-4 showed the most potential for further tuning and customization.

Reward the Teacher

Most ML models use rewards to encourage reinforcement learning and long-context reasoning. As parents, we understand the importance of quality educators and reward systems that motivate teachers to support student learning. The domains of xBOM, CycloneDX specifications, and supply chain security are highly specialized and complex—even for frontier models like o3-mini-high.??

To address this, we employed a novel "Reward the Teacher" technique, continuously prompting and encouraging a teacher model (Google Gemini 2.0 Pro Experimental) to generate high-quality synthetic data suitable for cdx1. We then systematically reviewed and enhanced the training dataset during post-training to ensure alignment between context and generated responses during inference.??

Our attempts to use the o3 models for data generation repeatedly failed due to “out of context” errors, possibly caused by API limitations imposed on plus subscriptions.

cdx1 eventually outperformed the teacher model especially with logic and reasoning tests. Below is an example test (from xBOMEval):

Prompt: What is the package URL type for Node applications? Alice says it is 'pkg:node', while Bob claims it is 'pkg:npm'. Meanwhile, Peter believes it could be 'pkg:npm', 'pkg:yarn', or 'pkg:pnpm', depending on the package manager.

While Gemini got carried away and started hallucinating, cdx1 stayed correctly in context and offered a clear demonstration of its knowledge on the subject.

cdx1’s design and fine-tuning approach helps it to focus on the layers of knowledge that are important with less scope for creativity and hallucinations. We tailored the training data to steer the answers to be shorter (less tokens) and to the point.

Trained on a Single Mac Mini

As our team's first open-source model, we aimed to make this achievement special. We used a single Mac Mini to create datasets, fine-tune, quantize, and publish the models. By combining the latest mlx and ollama.cpp for quantization and conversions, we eliminated the need for an NVIDIA GPU.

The cdxgen repository contains all the source code and configurations needed to replicate our resource-efficient approach. We look forward to seeing more OWASP projects and SBOM tools expand their ML offerings.

Benchmarking cdx1

We're excited to showcase cdx1's capabilities in xBOM analysis and reasoning. Currently, no benchmarks exist for xBOM—neither for traditional tools nor for ML models. To address this, our team is developing xBOMEval, the first open-source ML evaluation project for xBOM. We welcome sponsors and contributors to support our journey.

Sponsorship Acknowledgement

The cdxgen team and OWASP thank Levo.ai for generously sponsoring our ML research and development efforts. The cdx1 family of models is available under the Apache-2.0 license, and cdx-docs is in the public domain under a CC-0 license.