Skip to main content

CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments

Project description

CycloneDX Python SBOM Generation Tool

shield_pypi-version shield_docker-version shield_rtfd shield_gh-workflow-test shield_coverage shield_ossf-best-practices shield_license
shield_website shield_slack shield_groups shield_twitter-follow


This tool generates Software Bill of material (SBOM) documents in OWASP CycloneDX format.
Supported data sources are:

  • Python (virtual) environment
  • Poetry manifest and lockfile
  • Pipenv manifest and lockfile
  • Pip's requirements.txt format
  • PDM manifest and lockfile are not explicitly supported.
    However, PDM's Python virtual environments are fully supported. See the docs for an example.
  • Conda as a package manager is no longer supported since version 4.
    However, conda's Python environments are fully supported via the methods listed above. See the docs for an example.

Based on OWASP Software Component Verification Standard for Software Bill of Materials' criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).

The resulting SBOM documents follow official specifications and standards, and might have properties following cdx:python Namespace Taxonomy, cdx:pipenv Namespace Taxonomy, cdx:poetry Namespace Taxonomy .

Read the full documentation for more details.

Requirements

  • Python >=3.8,<4

However, there are older versions of this tool available, which support Python >=2.7.

Installation

Install this from Python Package Index (PyPI) using your preferred Python package manager.

install via one of commands:

python -m pip install cyclonedx-bom   # install via pip
pipx install cyclonedx-bom            # install via pipx
poetry add cyclonedx-bom              # install via poetry
# ... you get the hang

Usage

Call via one of commands:

cyclonedx-py             # call script
python3 -m cyclonedx_py  # call python module CLI

Basic usage

$ cyclonedx-py --help
usage: cyclonedx-py [-h] [--version] command ...

Creates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.

positional arguments:
  command
    environment   Build an SBOM from Python (virtual) environment
    requirements  Build an SBOM from Pip requirements
    pipenv        Build an SBOM from Pipenv manifest
    poetry        Build an SBOM from Poetry project

options:
  -h, --help      show this help message and exit
  --version       show program's version number and exit

Advanced usage and details

See the full documentation for advanced usage and details on input formats, switches and options.

Python Support

We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support. However, there are older versions of this tool, that support python>=2.7.

Internals

This tool utilizes the CycloneDX Python library to generate the actual data structures, and serialize and validate them.

This tool does not expose any additional public API or symbols - all code is intended to be internal and might change without any notice during version upgrades. However, the CLI is stable - you might call it programmatically. See the documentation for an example.

Contributing

Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details, and how to run/setup locally.

Copyright & License

CycloneDX BOM is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cyclonedx_bom-5.1.2.tar.gz (2.3 MB view details)

Uploaded Source

Built Distribution

cyclonedx_bom-5.1.2-py3-none-any.whl (55.7 kB view details)

Uploaded Python 3

File details

Details for the file cyclonedx_bom-5.1.2.tar.gz.

File metadata

  • Download URL: cyclonedx_bom-5.1.2.tar.gz
  • Upload date:
  • Size: 2.3 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.0.1 CPython/3.12.8

File hashes

Hashes for cyclonedx_bom-5.1.2.tar.gz
Algorithm Hash digest
SHA256 69cbabd884d1ca0c500d0307c42bdd93b0e42ee302a316fc5e45b5609bd898c7
MD5 be25ce42a8ea64826aa66495201af7b4
BLAKE2b-256 681e78106d309f58e06247c3c2a19dd475f36c5ad7c3b04492dd54c0430dd313

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyclonedx_bom-5.1.2.tar.gz:

Publisher: release.yml on CycloneDX/cyclonedx-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cyclonedx_bom-5.1.2-py3-none-any.whl.

File metadata

File hashes

Hashes for cyclonedx_bom-5.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 7cc7b50dffe6a43284882bfb302be8387cb4b509b1210856ef660fc409c96541
MD5 67c4f085b988fd2391639352b2a0844a
BLAKE2b-256 7b8b4264c0482b5a79e03b18eba84ec1142c20dc60916f9a10849594115ae905

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyclonedx_bom-5.1.2-py3-none-any.whl:

Publisher: release.yml on CycloneDX/cyclonedx-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page