Python wrapper for uv-sbom - SBOM generation tool for uv projects

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

uv-sbom-bin

PyPI - Version PyPI - Downloads License: MIT CI

Python wrapper for the uv-sbom CLI tool written in Rust.

Generate SBOMs (Software Bill of Materials) for Python projects managed by uv.

Features

  • Fast and standalone - Written in Rust, no Python dependencies required at runtime
  • Multiple output formats - CycloneDX 1.6 JSON (standard) and Markdown (human-readable)
  • Vulnerability scanning - CVE checking via OSV API is enabled by default; use --no-check-cve to opt out
  • Configurable thresholds - Filter vulnerabilities by severity or CVSS score
  • Package exclusion - Exclude internal packages with --exclude patterns
  • Configuration file support - Define defaults in uv-sbom.config.yml
  • License compliance - Enforce license policies with allow/deny lists via --check-license
  • CI/CD ready - Exit codes for easy integration into pipelines
  • License detection - Automatically fetches license info from PyPI

Why uv-sbom?

Unlike other SBOM tools that scan the entire virtual environment, uv-sbom focuses on production runtime dependencies from uv.lock:

Aspect uv-sbom CycloneDX Official Tools
Data Source uv.lock file .venv virtual environment
Scope Production dependencies only Entire supply chain
Package Count Fewer (e.g., 16 packages) More (e.g., 38+ packages)
Use Case Production security scanning Comprehensive audit

This focused approach reduces noise in security scanning by excluding build-time dependencies that don't ship with your application.

Installation

Via uv (Recommended)

uv tool install uv-sbom-bin

Via pip

pip install uv-sbom-bin

After installation, the uv-sbom command will be available in your PATH.

Note: The package name is uv-sbom-bin, but the installed command is uv-sbom.

Usage

Basic Commands

# Show version
uv-sbom --version

# Generate CycloneDX JSON SBOM (default)
uv-sbom --format json

# Generate Markdown SBOM
uv-sbom --format markdown --output SBOM.md

Vulnerability Checking

CVE checking is enabled by default. Use --no-check-cve to opt out.

# Check for all vulnerabilities (default — no flag needed)
uv-sbom --format markdown

# Check for High/Critical severity only
uv-sbom --format markdown --severity-threshold high

# Check for CVSS >= 7.0
uv-sbom --format markdown --cvss-threshold 7.0

# Ignore specific CVEs
uv-sbom --format markdown --ignore-cve CVE-2024-1234

# Disable CVE checking
uv-sbom --format markdown --no-check-cve

License Compliance Check

# License compliance check
uv-sbom --check-license --license-allow "MIT,Apache-2.0,BSD-*"

# Combined with vulnerability check (CVE enabled by default)
uv-sbom --check-license --severity-threshold high

Excluding Packages

# Exclude specific packages
uv-sbom -e "pytest" -e "mypy"

# Exclude with wildcards
uv-sbom -e "*-dev" -e "debug-*"

Configuration File

Create a uv-sbom.config.yml file in your project directory:

format: markdown
# check_cve: true  # CVE checking is enabled by default; set to false to disable
severity_threshold: high
exclude_packages:
  - "pytest"
  - "*-dev"
ignore_cves:
  - id: CVE-2024-1234
    reason: "False positive for our use case"
license_policy:
  allow: ["MIT", "Apache-2.0", "BSD-*"]
  deny: ["GPL-3.0-only", "AGPL-*"]
  unknown: "warn"

Generate a template:

uv-sbom --init

CI Integration

# GitHub Actions example (CVE checking is enabled by default)
- name: Security Check
  run: uv-sbom --format markdown --severity-threshold high

Output Example

Markdown format with vulnerability report:

# Software Bill of Materials (SBOM)

## Component Inventory

| Package | Version | License | Description |
|---------|---------|---------|-------------|
| requests | 2.31.0 | Apache 2.0 | HTTP library for Python |
| pydantic | 2.12.5 | MIT | Data validation using Python type hints |

## Vulnerability Report

| Package | Current | Fixed | CVSS | Severity | CVE ID |
|---------|---------|-------|------|----------|--------|
| urllib3 | 2.0.0 | 2.0.7 | 9.8 | CRITICAL | CVE-2023-45803 |

How It Works

This package downloads the prebuilt Rust binary for your platform from the GitHub releases and installs it.

Supported platforms:

  • macOS (Apple Silicon and Intel)
  • Linux (x86_64)
  • Windows (x86_64)

Full Documentation

For comprehensive documentation including:

  • Complete command-line reference
  • Security input validation details
  • Network requirements and proxy configuration
  • Exit codes and error handling
  • Troubleshooting guide

Visit the main repository: uv-sbom on GitHub

License

MIT License - see LICENSE

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

2.3.0

This version

2.2.0

2.1.0

2.0.1

2.0.0

1.3.0

1.2.0

1.1.0

1.0.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

uv_sbom_bin-2.2.0.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

uv_sbom_bin-2.2.0-py3-none-any.whl (6.3 kB view details)

Uploaded Python 3

File details

Details for the file uv_sbom_bin-2.2.0.tar.gz.

File metadata

  • Download URL: uv_sbom_bin-2.2.0.tar.gz
  • Upload date:
  • Size: 5.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for uv_sbom_bin-2.2.0.tar.gz
Algorithm Hash digest
SHA256 006b89c3619c8d9486f58d1396a65a24d1ed5021b8f86a61849e41ca915a6a95
MD5 67c5ea2f437f00bf8bfc5bad1ac30b25
BLAKE2b-256 e83da938e0e53e8895549d55f942bccdac8ab6e7d181187d23304891a79987cb

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-2.2.0.tar.gz:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file uv_sbom_bin-2.2.0-py3-none-any.whl.

File metadata

  • Download URL: uv_sbom_bin-2.2.0-py3-none-any.whl
  • Upload date:
  • Size: 6.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for uv_sbom_bin-2.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9d45bc96eb57297e357ba372f6d11429fab90af4e02a612054ce6b143b955db7
MD5 8f77447ef484ac0b1bbf5c5eb886f184
BLAKE2b-256 962dc9bfacecc50384ccfa24c25fca1d80fd8ea6924dc15ad60b146062d87813

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-2.2.0-py3-none-any.whl:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page