Python wrapper for uv-sbom - SBOM generation tool for uv projects

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

uv-sbom-bin

PyPI - Version PyPI - Downloads License: MIT CI

Python wrapper for the uv-sbom CLI tool written in Rust.

Generate SBOMs (Software Bill of Materials) for Python projects managed by uv.

Features

  • Fast and standalone - Written in Rust, no Python dependencies required at runtime
  • Multiple output formats - CycloneDX 1.6 JSON (standard) and Markdown (human-readable)
  • Vulnerability scanning - CVE checking via OSV API is enabled by default; use --no-check-cve to opt out
  • Configurable thresholds - Filter vulnerabilities by severity or CVSS score
  • Package exclusion - Exclude internal packages with --exclude patterns
  • Configuration file support - Define defaults in uv-sbom.config.yml
  • License compliance - Enforce license policies with allow/deny lists via --check-license
  • CI/CD ready - Exit codes for easy integration into pipelines
  • License detection - Automatically fetches license info from PyPI

Why uv-sbom?

Unlike other SBOM tools that scan the entire virtual environment, uv-sbom focuses on production runtime dependencies from uv.lock:

Aspect uv-sbom CycloneDX Official Tools
Data Source uv.lock file .venv virtual environment
Scope Production dependencies only Entire supply chain
Package Count Fewer (e.g., 16 packages) More (e.g., 38+ packages)
Use Case Production security scanning Comprehensive audit

This focused approach reduces noise in security scanning by excluding build-time dependencies that don't ship with your application.

Installation

Via uv (Recommended)

uv tool install uv-sbom-bin

Via pip

pip install uv-sbom-bin

After installation, the uv-sbom command will be available in your PATH.

Note: The package name is uv-sbom-bin, but the installed command is uv-sbom.

Usage

Basic Commands

# Show version
uv-sbom --version

# Generate CycloneDX JSON SBOM (default)
uv-sbom --format json

# Generate Markdown SBOM
uv-sbom --format markdown --output SBOM.md

Vulnerability Checking

CVE checking is enabled by default. Use --no-check-cve to opt out.

# Check for all vulnerabilities (default — no flag needed)
uv-sbom --format markdown

# Check for High/Critical severity only
uv-sbom --format markdown --severity-threshold high

# Check for CVSS >= 7.0
uv-sbom --format markdown --cvss-threshold 7.0

# Ignore specific CVEs
uv-sbom --format markdown --ignore-cve CVE-2024-1234

# Disable CVE checking
uv-sbom --format markdown --no-check-cve

License Compliance Check

# License compliance check
uv-sbom --check-license --license-allow "MIT,Apache-2.0,BSD-*"

# Combined with vulnerability check (CVE enabled by default)
uv-sbom --check-license --severity-threshold high

Excluding Packages

# Exclude specific packages
uv-sbom -e "pytest" -e "mypy"

# Exclude with wildcards
uv-sbom -e "*-dev" -e "debug-*"

Configuration File

Create a uv-sbom.config.yml file in your project directory:

format: markdown
# check_cve: true  # CVE checking is enabled by default; set to false to disable
severity_threshold: high
exclude_packages:
  - "pytest"
  - "*-dev"
ignore_cves:
  - id: CVE-2024-1234
    reason: "False positive for our use case"
license_policy:
  allow: ["MIT", "Apache-2.0", "BSD-*"]
  deny: ["GPL-3.0-only", "AGPL-*"]
  unknown: "warn"

Generate a template:

uv-sbom --init

CI Integration

# GitHub Actions example (CVE checking is enabled by default)
- name: Security Check
  run: uv-sbom --format markdown --severity-threshold high

Output Example

Markdown format with vulnerability report:

# Software Bill of Materials (SBOM)

## Component Inventory

| Package | Version | License | Description |
|---------|---------|---------|-------------|
| requests | 2.31.0 | Apache 2.0 | HTTP library for Python |
| pydantic | 2.12.5 | MIT | Data validation using Python type hints |

## Vulnerability Report

| Package | Current | Fixed | CVSS | Severity | CVE ID |
|---------|---------|-------|------|----------|--------|
| urllib3 | 2.0.0 | 2.0.7 | 9.8 | CRITICAL | CVE-2023-45803 |

How It Works

This package downloads the prebuilt Rust binary for your platform from the GitHub releases and installs it.

Supported platforms:

  • macOS (Apple Silicon and Intel)
  • Linux (x86_64)
  • Windows (x86_64)

Full Documentation

For comprehensive documentation including:

  • Complete command-line reference
  • Security input validation details
  • Network requirements and proxy configuration
  • Exit codes and error handling
  • Troubleshooting guide

Visit the main repository: uv-sbom on GitHub

License

MIT License - see LICENSE

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

2.3.0

2.2.0

This version

2.1.0

2.0.1

2.0.0

1.3.0

1.2.0

1.1.0

1.0.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

uv_sbom_bin-2.1.0.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

uv_sbom_bin-2.1.0-py3-none-any.whl (6.3 kB view details)

Uploaded Python 3

File details

Details for the file uv_sbom_bin-2.1.0.tar.gz.

File metadata

  • Download URL: uv_sbom_bin-2.1.0.tar.gz
  • Upload date:
  • Size: 5.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for uv_sbom_bin-2.1.0.tar.gz
Algorithm Hash digest
SHA256 63a34ba829fc8c95d14be0820b98736b13ee8953faf84830e2fa05239bfd8bea
MD5 42fc69b5a638f4a1093437e8c52f60f6
BLAKE2b-256 a140c722e357baa8b6c55b54cedc690d5e0b8a5d9d11f78755f195ad2633e216

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-2.1.0.tar.gz:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file uv_sbom_bin-2.1.0-py3-none-any.whl.

File metadata

  • Download URL: uv_sbom_bin-2.1.0-py3-none-any.whl
  • Upload date:
  • Size: 6.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for uv_sbom_bin-2.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e503171950e9bc6793e091bfce5e631f26593e2b7de5dd72a718814d08934494
MD5 6e906113bd681dfbf61c6d51a9c986c1
BLAKE2b-256 21c86f478683026bfa32c85bbe5777dcd2c66a3ccdf78fbeec25253cdbe2321a

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-2.1.0-py3-none-any.whl:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page