CycloneDX Software Bill of Materials (SBOM) generation utility
Project description
CycloneDX Python SBOM Generation Tool
This project provides a runnable Python-based application for generating CycloneDX bill-of-material documents from either:
- Your current Python Environment
- Your project's manifest (e.g.
requirements.txt
)
The BOM will contain an aggregate of all your current project's dependencies, or those defined by the manifest you supply.
CycloneDX is a lightweight BOM specification that is easily created, human-readable, and simple to parse.
Installation
Install this from PyPi.org using your preferred Python package manager.
Example using pip
:
pip install cyclonedx-bom
Example using poetry
:
poetry add cyclonedx-bom
Usage
Once installed, you can access the full documentation by running --help
:
$ cyclonedx-py --help
usage: cyclonedx-py [-h] (-e | -r) [-rf FILE_PATH] [--format {json,xml}] [--schema-version {1.3,1.2,1.1,1.0}]
[-o FILE_PATH] [-F] [-X]
CycloneDX SBOM Generator
optional arguments:
-h, --help show this help message and exit
-e, --e, --environment
Build a SBOM based on the packages installed in your current Python environment (default)
-r, --r, --requirements
Build a SBOM based on a requirements.txt's contents
-X Enable debug output
Requirements:
Additional optional arguments if you are setting the input type to `requirements`.
-rf FILE_PATH, --rf FILE_PATH, --requirements-file FILE_PATH
Path to a the requirements.txt file you wish to parse
SBOM Output Configuration:
Choose the output format and schema version
--format {json,xml} The output format for your SBOM (default: xml)
--schema-version {1.3,1.2,1.1,1.0}
The CycloneDX schema version for your SBOM (default: 1.3)
-o FILE_PATH, --o FILE_PATH, --output FILE_PATH
Output file path for your SBOM (set to '-' to output to STDOUT)
-F, --force If outputting to a file and the stated file already exists, it will be overwritten.
Building CycloneDX for your current Python environment
This will produce the most accurate and complete CycloneDX BOM as it will include all transitive dependencies required
by the packages defined in your project's manifest (think requriements.txt
).
Simply run:
cyclonedx-py -e -o -
This will generate a CycloneDX including all packages installed in your current Python environment and output to STDOUT
in XML using the latest schema version 1.3
by default.
Building CycloneDX from your Manifest
We currently support requirements.txt
manifest files. Note that a BOM such as CycloneDX expects exact version numbers,
therefore if you wish to generate a BOM from a requirements.txt
, these must be frozen. This can be accomplished via:
pip freeze > requirements.txt
You can then run cyclonedx-py
as follows:
cyclonedx-py -r -rf PATH/TO/requirements.txt -o -
This will generate a CycloneDX and output to STDOUT in XML using the latest schema version 1.3
by default.
Unpinned dependencies in requirements.txt
If you failed to freeze your dependencies before passing the requirements.txt
data to cyclonedx-py
, you'll be
warned about this and the dependencies that do not have pinned versions WILL NOT be included in the resulting CycloneDX
output.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! Some of your dependencies do not have pinned version !!
!! numbers in your requirements.txt !!
!! !!
!! -> idna !!
!! -> requests !!
!! -> urllib3 !!
!! !!
!! The above will NOT be included in the generated !!
!! CycloneDX as version is a mandatory field. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Python Support
We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.
Copyright & License
CycloneDX BOM is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file cyclonedx-bom-1.0.5.tar.gz
.
File metadata
- Download URL: cyclonedx-bom-1.0.5.tar.gz
- Upload date:
- Size: 9.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.12
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 76672294e59b67b11eca16d387af496ae30e5b43d9ae30b24c8c714811025454 |
|
MD5 | a5580d4227aa56611c8cc64f0c7aacbc |
|
BLAKE2b-256 | 66c35cafca8e53b4795022b54ead6a6cbf90cd88cfd4e9ed0c79dbb5d36fe6f2 |
Provenance
File details
Details for the file cyclonedx_bom-1.0.5-py3-none-any.whl
.
File metadata
- Download URL: cyclonedx_bom-1.0.5-py3-none-any.whl
- Upload date:
- Size: 14.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.12
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 47ca93b7b7f0f8fcb80d551cd1e2180d67ccf8833a958f797b7d0c8995dcc444 |
|
MD5 | 0159d955ad1ed469e367e6fd9c8ba96d |
|
BLAKE2b-256 | 695b40d711a1f97c1dd30dcbe8f670e20ff8b1797f3cc568fa96934be3f807bd |