cdxgen v11 - for the learners and thinkers

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. Its adaptability and forward-thinking design empower organizations and teams to progressively build their full-stack inventory, starting with formats like Software Bill-of-Materials SBOM or Operations Bill-of-Materials OBOM. This flexibility ensures that there are no limitations to your creativity and growth within the standard.

The CycloneDX Generator (cdxgen) has grown alongside the community, evolving from its origins as a simple SBOM tool. The OWASP environment has provided a unique space for extensive experimentation and innovation. The recent fully-paid team offsite, attended by many OWASP project teams including cdxgen, fostered a surge of creativity and fresh perspectives. This v11 release is truly a testament to the collective wisdom of numerous OWASP leaders and community members.?

We are thrilled to announce the release of cdxgen v11, a major release designed to meet the needs of both modern users and bots such as AI agents. AI/ML models that utilize cdxgen v11 data for fine-tuning and Retrieval Augment Generation (RAG) will produce high-quality responses, comparable to those of a seasoned supply-chain and security expert. Our goal is to eliminate AI hallucinations by generating precise and consistent datasets that enhance the learning and reasoning capabilities of both open-source and commercial ML models. During the development of the ML profile (--profile ml or –profile ml-tiny) for cdxgen, our team continuously evaluated the performance of various LLM services like Google Gemini, Microsoft Copilot, and ChatGPT. We even created a demo GPT bot to showcase the potential of this feature.?

Disclaimer: The cdxgen team's primary focus remains on providing high-quality datasets, rather than venturing into AI/ML development or commercializing AI solutions. We firmly believe that the foundation of effective AI lies in robust and accurate datasets. In the near future, we are committed to enhancing cdx compatibility with leading AI models, encompassing both open-source and commercial options.?

The release is not just about AI/ML. We've introduced additional filter techniques (confidence and technique filters) for refining the generated xBOM. Furthermore, we're actively working towards compatibility with the forthcoming OWASP ASVS 5.0 standard.

Pricing and project sustainability

How much should OWASP charge for cdxgen v11? While a Silicon Valley startup might readily secure millions of dollars in funding for a tool with a fraction of cdxgen's capabilities, and likely monetize the AI agent through a subscription model, we believe in a different approach to make security accessible for everyone.

We're excited to announce that cdxgen v11, including the prompts and agent source code, remains completely free and available under the Apache 2.0 license. However, the OWASP Foundation depends entirely on your donations to sustain our projects. We're committed to fostering a fair environment where all creators and contributors are recognized and rewarded for their efforts. It's crucial to address the current imbalance where open-source projects often become dominated by profit-driven entities due to a lack of sustainable funding for contributors. Your financial support is the most meaningful gift we could receive, not just during the holiday season, but throughout the year.