Python wrapper for uv-sbom - SBOM generation tool for uv projects

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

uv-sbom-bin

PyPI - Version PyPI - Downloads License: MIT CI

Python wrapper for the uv-sbom CLI tool written in Rust.

Generate SBOMs (Software Bill of Materials) for Python projects managed by uv.

Features

  • Fast and standalone - Written in Rust, no Python dependencies required at runtime
  • Multiple output formats - CycloneDX 1.6 JSON (standard) and Markdown (human-readable)
  • Vulnerability scanning - CVE checking via OSV API is enabled by default; use --no-check-cve to opt out
  • Configurable thresholds - Filter vulnerabilities by severity or CVSS score
  • Package exclusion - Exclude internal packages with --exclude patterns
  • Configuration file support - Define defaults in uv-sbom.config.yml
  • License compliance - Enforce license policies with allow/deny lists via --check-license
  • CI/CD ready - Exit codes for easy integration into pipelines
  • License detection - Automatically fetches license info from PyPI

Why uv-sbom?

Unlike other SBOM tools that scan the entire virtual environment, uv-sbom focuses on production runtime dependencies from uv.lock:

Aspect uv-sbom CycloneDX Official Tools
Data Source uv.lock file .venv virtual environment
Scope Production dependencies only Entire supply chain
Package Count Fewer (e.g., 16 packages) More (e.g., 38+ packages)
Use Case Production security scanning Comprehensive audit

This focused approach reduces noise in security scanning by excluding build-time dependencies that don't ship with your application.

Installation

Via uv (Recommended)

uv tool install uv-sbom-bin

Via pip

pip install uv-sbom-bin

After installation, the uv-sbom command will be available in your PATH.

Note: The package name is uv-sbom-bin, but the installed command is uv-sbom.

Usage

Basic Commands

# Show version
uv-sbom --version

# Generate CycloneDX JSON SBOM (default)
uv-sbom --format json

# Generate Markdown SBOM
uv-sbom --format markdown --output SBOM.md

Vulnerability Checking

CVE checking is enabled by default. Use --no-check-cve to opt out.

# Check for all vulnerabilities (default — no flag needed)
uv-sbom --format markdown

# Check for High/Critical severity only
uv-sbom --format markdown --severity-threshold high

# Check for CVSS >= 7.0
uv-sbom --format markdown --cvss-threshold 7.0

# Ignore specific CVEs
uv-sbom --format markdown --ignore-cve CVE-2024-1234

# Disable CVE checking
uv-sbom --format markdown --no-check-cve

License Compliance Check

# License compliance check
uv-sbom --check-license --license-allow "MIT,Apache-2.0,BSD-*"

# Combined with vulnerability check (CVE enabled by default)
uv-sbom --check-license --severity-threshold high

Excluding Packages

# Exclude specific packages
uv-sbom -e "pytest" -e "mypy"

# Exclude with wildcards
uv-sbom -e "*-dev" -e "debug-*"

Configuration File

Create a uv-sbom.config.yml file in your project directory:

format: markdown
# check_cve: true  # CVE checking is enabled by default; set to false to disable
severity_threshold: high
exclude_packages:
  - "pytest"
  - "*-dev"
ignore_cves:
  - id: CVE-2024-1234
    reason: "False positive for our use case"
license_policy:
  allow: ["MIT", "Apache-2.0", "BSD-*"]
  deny: ["GPL-3.0-only", "AGPL-*"]
  unknown: "warn"

Generate a template:

uv-sbom --init

CI Integration

# GitHub Actions example (CVE checking is enabled by default)
- name: Security Check
  run: uv-sbom --format markdown --severity-threshold high

Output Example

Markdown format with vulnerability report:

# Software Bill of Materials (SBOM)

## Component Inventory

| Package | Version | License | Description |
|---------|---------|---------|-------------|
| requests | 2.31.0 | Apache 2.0 | HTTP library for Python |
| pydantic | 2.12.5 | MIT | Data validation using Python type hints |

## Vulnerability Report

| Package | Current | Fixed | CVSS | Severity | CVE ID |
|---------|---------|-------|------|----------|--------|
| urllib3 | 2.0.0 | 2.0.7 | 9.8 | CRITICAL | CVE-2023-45803 |

How It Works

This package downloads the prebuilt Rust binary for your platform from the GitHub releases and installs it.

Supported platforms:

  • macOS (Apple Silicon and Intel)
  • Linux (x86_64)
  • Windows (x86_64)

Full Documentation

For comprehensive documentation including:

  • Complete command-line reference
  • Security input validation details
  • Network requirements and proxy configuration
  • Exit codes and error handling
  • Troubleshooting guide

Visit the main repository: uv-sbom on GitHub

License

MIT License - see LICENSE

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for take-yoda from gravatar.com take-yoda

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Taketo Yoda
  • Tags cyclonedx , python-wrapper , sbom , security , supply-chain , uv
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

This version

2.3.0

2.2.0

2.1.0

2.0.1

2.0.0

1.3.0

1.2.0

1.1.0

1.0.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

uv_sbom_bin-2.3.0.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

uv_sbom_bin-2.3.0-py3-none-any.whl (6.3 kB view details)

Uploaded Python 3

File details

Details for the file uv_sbom_bin-2.3.0.tar.gz.

File metadata

  • Download URL: uv_sbom_bin-2.3.0.tar.gz
  • Upload date:
  • Size: 5.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for uv_sbom_bin-2.3.0.tar.gz
Algorithm Hash digest
SHA256 e6a956189a099773d259cc6f9f577601d5907dbd30c665ee5dc1a9f930f656a9
MD5 b79e6157a9e8e1b26ce1e9413586f400
BLAKE2b-256 571222c73e19824124ebdff69f6f3485ec0a1d3b3503973e84eb8358b5dac29f

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-2.3.0.tar.gz:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file uv_sbom_bin-2.3.0-py3-none-any.whl.

File metadata

  • Download URL: uv_sbom_bin-2.3.0-py3-none-any.whl
  • Upload date:
  • Size: 6.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for uv_sbom_bin-2.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d8366ceffbcaaf59c8b6660082615c20668e6427b381abfc1729ec25b70cb6fa
MD5 9b12e2f810f8d49e3e277b082d729bc4
BLAKE2b-256 b845b346970b74de8e1b8305e5a20fb1ee2e6cf8ec5059425b7ae1a59b1b9e78

See more details on using hashes here.

Provenance

The following attestation bundles were made for uv_sbom_bin-2.3.0-py3-none-any.whl:

Publisher: release.yml on Taketo-Yoda/uv-sbom

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page