Skip to main content

CycloneDX Software Bill of Materials (SBOM) generation utility

Project description

CycloneDX Python SBOM Generation Tool

GitHub Workflow Status Docker Image GitHub license Python Version Support Slack Invite PyPI Version Python Version Support Group Discussion Twitter


This project provides a runnable Python-based application for generating CycloneDX bill-of-material documents from either:

  1. Your current Python Environment
  2. Your project's manifest (e.g. requirements.txt)

The BOM will contain an aggregate of all your current project's dependencies, or those defined by the manifest you supply.

CycloneDX is a lightweight BOM specification that is easily created, human-readable, and simple to parse.

Installation

Install this from PyPi.org using your preferred Python package manager.

Example using pip:

pip install cyclonedx-bom

Example using poetry:

poetry add cyclonedx-bom

Usage

Once installed, you can access the full documentation by running --help:

$ cyclonedx-py --help
usage: cyclonedx-py [-h] (-e | -r) [-rf FILE_PATH] [--format {json,xml}] [--schema-version {1.3,1.2,1.1,1.0}] 
[-o FILE_PATH] [-F] [-X]

CycloneDX SBOM Generator

optional arguments:
  -h, --help            show this help message and exit
  -e, --e, --environment
                        Build a SBOM based on the packages installed in your current Python environment (default)
  -r, --r, --requirements
                        Build a SBOM based on a requirements.txt's contents
  -X                    Enable debug output

Requirements:
  Additional optional arguments if you are setting the input type to `requirements`.

  -rf FILE_PATH, --rf FILE_PATH, --requirements-file FILE_PATH
                        Path to a the requirements.txt file you wish to parse

SBOM Output Configuration:
  Choose the output format and schema version

  --format {json,xml}   The output format for your SBOM (default: xml)
  --schema-version {1.3,1.2,1.1,1.0}
                        The CycloneDX schema version for your SBOM (default: 1.3)
  -o FILE_PATH, --o FILE_PATH, --output FILE_PATH
                        Output file path for your SBOM (set to '-' to output to STDOUT)
  -F, --force           If outputting to a file and the stated file already exists, it will be overwritten.

Building CycloneDX for your current Python environment

This will produce the most accurate and complete CycloneDX BOM as it will include all transitive dependencies required by the packages defined in your project's manifest (think requriements.txt).

Simply run:

cyclonedx-py -e -o -

This will generate a CycloneDX including all packages installed in your current Python environment and output to STDOUT in XML using the latest schema version 1.3 by default.

Building CycloneDX from your Manifest

We currently support requirements.txt manifest files. Note that a BOM such as CycloneDX expects exact version numbers, therefore if you wish to generate a BOM from a requirements.txt, these must be frozen. This can be accomplished via:

pip freeze > requirements.txt

You can then run cyclonedx-py as follows:

cyclonedx-py -r -rf PATH/TO/requirements.txt -o -

This will generate a CycloneDX and output to STDOUT in XML using the latest schema version 1.3 by default.

Unpinned dependencies in requirements.txt

If you failed to freeze your dependencies before passing the requirements.txt data to cyclonedx-py, you'll be warned about this and the dependencies that do not have pinned versions WILL NOT be included in the resulting CycloneDX output.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! Some of your dependencies do not have pinned version !!
!! numbers in your requirements.txt                     !!
!!                                                      !!
!! -> idna                                              !!
!! -> requests                                          !!
!! -> urllib3                                           !!
!!                                                      !!
!! The above will NOT be included in the generated      !!
!! CycloneDX as version is a mandatory field.           !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Python Support

We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.

Copyright & License

CycloneDX BOM is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cyclonedx-bom-1.0.5.tar.gz (9.4 kB view details)

Uploaded Source

Built Distribution

cyclonedx_bom-1.0.5-py3-none-any.whl (14.1 kB view details)

Uploaded Python 3

File details

Details for the file cyclonedx-bom-1.0.5.tar.gz.

File metadata

  • Download URL: cyclonedx-bom-1.0.5.tar.gz
  • Upload date:
  • Size: 9.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.12

File hashes

Hashes for cyclonedx-bom-1.0.5.tar.gz
Algorithm Hash digest
SHA256 76672294e59b67b11eca16d387af496ae30e5b43d9ae30b24c8c714811025454
MD5 a5580d4227aa56611c8cc64f0c7aacbc
BLAKE2b-256 66c35cafca8e53b4795022b54ead6a6cbf90cd88cfd4e9ed0c79dbb5d36fe6f2

See more details on using hashes here.

Provenance

File details

Details for the file cyclonedx_bom-1.0.5-py3-none-any.whl.

File metadata

  • Download URL: cyclonedx_bom-1.0.5-py3-none-any.whl
  • Upload date:
  • Size: 14.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.12

File hashes

Hashes for cyclonedx_bom-1.0.5-py3-none-any.whl
Algorithm Hash digest
SHA256 47ca93b7b7f0f8fcb80d551cd1e2180d67ccf8833a958f797b7d0c8995dcc444
MD5 0159d955ad1ed469e367e6fd9c8ba96d
BLAKE2b-256 695b40d711a1f97c1dd30dcbe8f670e20ff8b1797f3cc568fa96934be3f807bd

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page