Python wrapper for uv-sbom - SBOM generation tool for uv projects

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

uv-sbom-bin

PyPI - Version PyPI - Downloads License: MIT CI

Python wrapper for the uv-sbom CLI tool written in Rust.

Generate SBOMs (Software Bill of Materials) for Python projects managed by uv.

Features

  • Fast and standalone - Written in Rust, no Python dependencies required at runtime
  • Multiple output formats - CycloneDX 1.6 JSON (standard) and Markdown (human-readable)
  • Vulnerability scanning - Check for known CVEs using OSV API with --check-cve
  • Configurable thresholds - Filter vulnerabilities by severity or CVSS score
  • Package exclusion - Exclude internal packages with --exclude patterns
  • Configuration file support - Define defaults in uv-sbom.config.yml
  • License compliance - Enforce license policies with allow/deny lists via --check-license
  • CI/CD ready - Exit codes for easy integration into pipelines
  • License detection - Automatically fetches license info from PyPI

Why uv-sbom?

Unlike other SBOM tools that scan the entire virtual environment, uv-sbom focuses on production runtime dependencies from uv.lock:

Aspect uv-sbom CycloneDX Official Tools
Data Source uv.lock file .venv virtual environment
Scope Production dependencies only Entire supply chain
Package Count Fewer (e.g., 16 packages) More (e.g., 38+ packages)
Use Case Production security scanning Comprehensive audit

This focused approach reduces noise in security scanning by excluding build-time dependencies that don't ship with your application.

Installation

Via uv (Recommended)

uv tool install uv-sbom-bin

Via pip

pip install uv-sbom-bin

After installation, the uv-sbom command will be available in your PATH.

Note: The package name is uv-sbom-bin, but the installed command is uv-sbom.

Usage

Basic Commands

# Show version
uv-sbom --version

# Generate CycloneDX JSON SBOM (default)
uv-sbom --format json

# Generate Markdown SBOM
uv-sbom --format markdown --output SBOM.md

Vulnerability Checking

# Check for all vulnerabilities
uv-sbom --format markdown --check-cve

# Check for High/Critical severity only
uv-sbom --format markdown --check-cve --severity-threshold high

# Check for CVSS >= 7.0
uv-sbom --format markdown --check-cve --cvss-threshold 7.0

# Ignore specific CVEs
uv-sbom --format markdown --check-cve --ignore-cve CVE-2024-1234

License Compliance Check

# License compliance check
uv-sbom --check-license --license-allow "MIT,Apache-2.0,BSD-*"

# Combined with vulnerability check
uv-sbom --check-license --check-cve --severity-threshold high

Excluding Packages

# Exclude specific packages
uv-sbom -e "pytest" -e "mypy"

# Exclude with wildcards
uv-sbom -e "*-dev" -e "debug-*"

Configuration File

Create a uv-sbom.config.yml file in your project directory:

format: markdown
check_cve: true
severity_threshold: high
exclude_packages:
  - "pytest"
  - "*-dev"
ignore_cves:
  - id: CVE-2024-1234
    reason: "False positive for our use case"
license_policy:
  allow: ["MIT", "Apache-2.0", "BSD-*"]
  deny: ["GPL-3.0-only", "AGPL-*"]
  unknown: "warn"

Generate a template:

uv-sbom --init

CI Integration

# GitHub Actions example
- name: Security Check
  run: uv-sbom --format markdown --check-cve --severity-threshold high

Output Example

Markdown format with vulnerability report:

# Software Bill of Materials (SBOM)

## Component Inventory

| Package | Version | License | Description |
|---------|---------|---------|-------------|
| requests | 2.31.0 | Apache 2.0 | HTTP library for Python |
| pydantic | 2.12.5 | MIT | Data validation using Python type hints |

## Vulnerability Report

| Package | Current | Fixed | CVSS | Severity | CVE ID |
|---------|---------|-------|------|----------|--------|
| urllib3 | 2.0.0 | 2.0.7 | 9.8 | CRITICAL | CVE-2023-45803 |

How It Works

This package downloads the prebuilt Rust binary for your platform from the GitHub releases and installs it.

Supported platforms:

  • macOS (Apple Silicon and Intel)
  • Linux (x86_64)
  • Windows (x86_64)

Full Documentation

For comprehensive documentation including:

  • Complete command-line reference
  • Security input validation details
  • Network requirements and proxy configuration
  • Exit codes and error handling
  • Troubleshooting guide

Visit the main repository: uv-sbom on GitHub

License

MIT License - see LICENSE

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

2.3.0

2.2.0

2.1.0

2.0.1

2.0.0

This version

1.3.0

1.2.0

1.1.0

1.0.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

uv_sbom_bin-1.3.0.tar.gz (5.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

uv_sbom_bin-1.3.0-py3-none-any.whl (6.2 kB view details)

Uploaded Python 3

File details

Details for the file uv_sbom_bin-1.3.0.tar.gz.

File metadata

  • Download URL: uv_sbom_bin-1.3.0.tar.gz
  • Upload date:
  • Size: 5.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for uv_sbom_bin-1.3.0.tar.gz
Algorithm Hash digest
SHA256 9602ded1d346609748aad32e16bcad9eb2b431bc20b65d4d1d97a18f73bb4612
MD5 103fa1b24ed9cc0894b293d333635d5c
BLAKE2b-256 c59875a8f32a4009bbefae5d24d220f235b2c4bf068ab0a634b2365891cfaf1f

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-1.3.0.tar.gz:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file uv_sbom_bin-1.3.0-py3-none-any.whl.

File metadata

  • Download URL: uv_sbom_bin-1.3.0-py3-none-any.whl
  • Upload date:
  • Size: 6.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for uv_sbom_bin-1.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 baba52f58965d4a82e3a25d8a1773d71f26a5f2a439475dfcf2cf6c83e73d835
MD5 9d694ca686bdf9c873203f2b79d56b8d
BLAKE2b-256 f8e5210b786076d17779f6dd0bfff903e03be8b00509859b0587a9d285515f41

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-1.3.0-py3-none-any.whl:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page