Python wrapper for uv-sbom - SBOM generation tool for uv projects

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

uv-sbom-bin

PyPI - Version PyPI - Downloads License: MIT CI

Python wrapper for the uv-sbom CLI tool written in Rust.

Generate SBOMs (Software Bill of Materials) for Python projects managed by uv.

Features

  • Fast and standalone - Written in Rust, no Python dependencies required at runtime
  • Multiple output formats - CycloneDX 1.6 JSON (standard) and Markdown (human-readable)
  • Vulnerability scanning - CVE checking via OSV API is enabled by default; use --no-check-cve to opt out
  • Configurable thresholds - Filter vulnerabilities by severity or CVSS score
  • Package exclusion - Exclude internal packages with --exclude patterns
  • Configuration file support - Define defaults in uv-sbom.config.yml
  • License compliance - Enforce license policies with allow/deny lists via --check-license
  • CI/CD ready - Exit codes for easy integration into pipelines
  • License detection - Automatically fetches license info from PyPI

Why uv-sbom?

Unlike other SBOM tools that scan the entire virtual environment, uv-sbom focuses on production runtime dependencies from uv.lock:

Aspect uv-sbom CycloneDX Official Tools
Data Source uv.lock file .venv virtual environment
Scope Production dependencies only Entire supply chain
Package Count Fewer (e.g., 16 packages) More (e.g., 38+ packages)
Use Case Production security scanning Comprehensive audit

This focused approach reduces noise in security scanning by excluding build-time dependencies that don't ship with your application.

Installation

Via uv (Recommended)

uv tool install uv-sbom-bin

Via pip

pip install uv-sbom-bin

After installation, the uv-sbom command will be available in your PATH.

Note: The package name is uv-sbom-bin, but the installed command is uv-sbom.

Usage

Basic Commands

# Show version
uv-sbom --version

# Generate CycloneDX JSON SBOM (default)
uv-sbom --format json

# Generate Markdown SBOM
uv-sbom --format markdown --output SBOM.md

Vulnerability Checking

CVE checking is enabled by default. Use --no-check-cve to opt out.

# Check for all vulnerabilities (default — no flag needed)
uv-sbom --format markdown

# Check for High/Critical severity only
uv-sbom --format markdown --severity-threshold high

# Check for CVSS >= 7.0
uv-sbom --format markdown --cvss-threshold 7.0

# Ignore specific CVEs
uv-sbom --format markdown --ignore-cve CVE-2024-1234

# Disable CVE checking
uv-sbom --format markdown --no-check-cve

License Compliance Check

# License compliance check
uv-sbom --check-license --license-allow "MIT,Apache-2.0,BSD-*"

# Combined with vulnerability check (CVE enabled by default)
uv-sbom --check-license --severity-threshold high

Excluding Packages

# Exclude specific packages
uv-sbom -e "pytest" -e "mypy"

# Exclude with wildcards
uv-sbom -e "*-dev" -e "debug-*"

Configuration File

Create a uv-sbom.config.yml file in your project directory:

format: markdown
# check_cve: true  # CVE checking is enabled by default; set to false to disable
severity_threshold: high
exclude_packages:
  - "pytest"
  - "*-dev"
ignore_cves:
  - id: CVE-2024-1234
    reason: "False positive for our use case"
license_policy:
  allow: ["MIT", "Apache-2.0", "BSD-*"]
  deny: ["GPL-3.0-only", "AGPL-*"]
  unknown: "warn"

Generate a template:

uv-sbom --init

CI Integration

# GitHub Actions example (CVE checking is enabled by default)
- name: Security Check
  run: uv-sbom --format markdown --severity-threshold high

Output Example

Markdown format with vulnerability report:

# Software Bill of Materials (SBOM)

## Component Inventory

| Package | Version | License | Description |
|---------|---------|---------|-------------|
| requests | 2.31.0 | Apache 2.0 | HTTP library for Python |
| pydantic | 2.12.5 | MIT | Data validation using Python type hints |

## Vulnerability Report

| Package | Current | Fixed | CVSS | Severity | CVE ID |
|---------|---------|-------|------|----------|--------|
| urllib3 | 2.0.0 | 2.0.7 | 9.8 | CRITICAL | CVE-2023-45803 |

How It Works

This package downloads the prebuilt Rust binary for your platform from the GitHub releases and installs it.

Supported platforms:

  • macOS (Apple Silicon and Intel)
  • Linux (x86_64)
  • Windows (x86_64)

Full Documentation

For comprehensive documentation including:

  • Complete command-line reference
  • Security input validation details
  • Network requirements and proxy configuration
  • Exit codes and error handling
  • Troubleshooting guide

Visit the main repository: uv-sbom on GitHub

License

MIT License - see LICENSE

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

2.3.0

2.2.0

2.1.0

This version

2.0.1

2.0.0

1.3.0

1.2.0

1.1.0

1.0.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

uv_sbom_bin-2.0.1.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

uv_sbom_bin-2.0.1-py3-none-any.whl (6.3 kB view details)

Uploaded Python 3

File details

Details for the file uv_sbom_bin-2.0.1.tar.gz.

File metadata

  • Download URL: uv_sbom_bin-2.0.1.tar.gz
  • Upload date:
  • Size: 5.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for uv_sbom_bin-2.0.1.tar.gz
Algorithm Hash digest
SHA256 e6d59cc56ded84ae8e6c1d113296ec47d00d59ac1561f63b1159c2517ade1458
MD5 3f75b5475610531dfe06dbca53501034
BLAKE2b-256 48d102b0f9fc13e5d38119625b16579d4cbd97ac77a2d75625d2b36b26893356

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-2.0.1.tar.gz:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file uv_sbom_bin-2.0.1-py3-none-any.whl.

File metadata

  • Download URL: uv_sbom_bin-2.0.1-py3-none-any.whl
  • Upload date:
  • Size: 6.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for uv_sbom_bin-2.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 cf68df9f0968cc36c8999b3dc61a914cbd21bb9e5e4dacc7a67ce80af2898501
MD5 838376134cd4c09c34b568227bf08414
BLAKE2b-256 2dfd45138860888837f43159a3211c40edc14085142659583c6115ef6b59e95f

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-2.0.1-py3-none-any.whl:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page