A library for producing CycloneDX SBOM (Software Bill of Materials) files.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for coderpatros from gravatar.com coderpatros Avatar for CycloneDX from gravatar.com CycloneDX Avatar for jkowalleck from gravatar.com jkowalleck Avatar for madpah from gravatar.com madpah Avatar for sspringett from gravatar.com sspringett

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Paul Horton
  • Maintainer: Paul Horton
  • Tags BOM, SBOM, SCA, OWASP
  • Requires: Python >=3.6, <4.0
Classifiers

Project description

Python Library for generating CycloneDX

GitHub Workflow Status Python Version Support PyPI Version GitHub license GitHub issues GitHub forks GitHub stars

This CycloneDX module for Python can generate valid CycloneDX bill-of-material document containing an aggregate of all project dependencies.

This module is not designed for standalone use. If you're looking for a CycloneDX tool to run to generate (SBOM) software bill-of-materials documents, why not checkout:

Additionally, the following tool can be used as well (and this library was written to help improve it)

Additionally, you can use this module yourself in your application to programmatically generate SBOMs.

CycloneDX is a lightweight BOM specification that is easily created, human-readable, and simple to parse.

Installation

Install from pypi.org as you would any other Python module:

pip install cyclonedx-python-lib

Architecture

This module break out into three key areas:

  1. Parser: Use a parser that suits your needs to automatically gather information about your environment or application
  2. Model: Internal models used to unify data from different parsers
  3. Output: Choose and configure an output which allows you to define output format as well as the CycloneDX schema version

Parsing

You can use one of the parsers to obtain information about your project or environment. Available parsers:

Parser Class / Import Description
Environment from cyclonedx.parser.environment import EnvironmentParser Looks at the packaged installed in your current Python environment.
PoetryParser from cyclonedx.parser.poetry import PoetryParser Parses poetry.lock content passed in as a string.
PoetryFileParser from cyclonedx.parser.poetry import PoetryFileParser Parses the poetry.lock file at the supplied path.
RequirementsParser from cyclonedx.parser.requirements import RequirementsParser Parses a multiline string that you provide that conforms to the requirements.txt PEP-508 standard.
RequirementsFileParser from cyclonedx.parser.requirements import RequirementsFileParser Parses a file that you provide the path to that conforms to the requirements.txt PEP-508 standard.

Example

from cyclonedx.parser.environment import EnvironmentParser

parser = EnvironmentParser()

Modelling

You can create a BOM Model from either a Parser instance or manually using the methods avaialbel directly on the Bom class.

The model also supports definition of vulnerabilities for output using the CycloneDX schema extension for Vulnerability Disclosures as of version 0.3.0.

Note: Known vulnerabilities associated with Components can be sourced from various data sources, but this library will not source them for you. Perhaps look at Jake if you're interested in this.

Example from a Parser

from cyclonedx.model.bom import Bom
from cyclonedx.parser.environment import EnvironmentParser

parser = EnvironmentParser()
bom = Bom.from_parser(parser=parser)

Generating Output

Once you have an instance of a Bom you can produce output in either JSON or XML against any of the supporting CycloneDX schema versions as you require.

We provide two helper methods:

  1. Output to string (for you to do with as you require)
  2. Output directly to a filename you provide
Example as JSON
from cyclonedx.output import get_instance, OutputFormat

outputter = get_instance(bom=bom, output_format=OutputFormat.JSON)
outputter.output_as_string()
Example as XML
from cyclonedx.output import get_instance, SchemaVersion

outputter = get_instance(bom=bom, schema_version=SchemaVersion.V1_2)
outputter.output_to_file(filename='/tmp/sbom-v1.2.xml')

Schema Support

This library is a work in progress and complete support for all parts of the CycloneDX schema will come in future releases.

Here is a summary of the parts of the schema supported by this library:

Note: We refer throughout using XPath, but the same is true for both XML and JSON output formats.

XPath Support v1.3 Support v1.2 Support v1.1 Support v1.0 Notes
/bom YYYY This is the root element and is supported with all it's defined attributes.
/bom/metadata YYN/AN/A Only timestamp is currently supported
/bom/components YYYY  
/bom/components/component
./author YYN/AN/A  
./name YYYY  
./version YYYY  
./purl YYYY  

Notes on Schema Support

  1. N/A is where the CycloneDX standard does not include this
  2. If the table above does not refer to an element, it is not currently supported

Python Support

We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.

Changelog

See our CHANGELOG.

Copyright & License

CycloneDX Python Lib is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for coderpatros from gravatar.com coderpatros Avatar for CycloneDX from gravatar.com CycloneDX Avatar for jkowalleck from gravatar.com jkowalleck Avatar for madpah from gravatar.com madpah Avatar for sspringett from gravatar.com sspringett

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Paul Horton
  • Maintainer: Paul Horton
  • Tags BOM, SBOM, SCA, OWASP
  • Requires: Python >=3.6, <4.0
Classifiers

Release history Release notifications | RSS feed

8.4.0

8.3.0

8.2.1

8.2.0

8.1.0

8.0.0

8.0.0rc2 pre-release

8.0.0rc1 pre-release

8.0.0a1 pre-release

7.6.2

7.6.1

7.6.0

7.5.1

7.5.0

7.4.1

7.4.0

7.3.4

7.3.3

7.3.2

7.3.1 yanked

Reason this release was yanked:

This version had a flaw with reliable sorting of components, which had downstram implications. Please use version 7.3.2 or later

7.3.0

7.2.0

7.1.0

7.0.0

7.0.0a1 pre-release

6.4.4

6.4.3

6.4.2

6.4.1

6.4.0

6.3.0

6.2.0

6.1.0

6.0.0

6.0.0rc3 pre-release

6.0.0rc2 pre-release

6.0.0rc1 pre-release

5.2.0

5.1.1

5.1.0

5.0.1

5.0.0

5.0.0rc2 pre-release

5.0.0rc1 pre-release

4.2.3

4.2.2

4.2.1

4.2.0

4.1.0

4.0.1

4.0.0

4.0.0rc3 pre-release

4.0.0rc2 pre-release

4.0.0rc1 pre-release

4.0.0rc0 pre-release

3.1.5

3.1.4

3.1.3

3.1.2

3.1.1

3.1.0

3.0.0rc1 pre-release

3.0.0rc0 pre-release

2.7.1

2.7.0

2.6.0

2.5.2

2.5.1

2.5.0

2.4.0

2.3.0

2.2.0

2.1.1

2.1.0

2.0.0

2.0.0rc4 pre-release

2.0.0rc3 pre-release

2.0.0rc2 pre-release

2.0.0rc1 pre-release

2.0.0rc0 pre-release

1.3.0

1.2.0

1.1.1

1.1.0

1.0.0

1.0.0rc3 pre-release

1.0.0rc2 pre-release

1.0.0rc1 pre-release

1.0.0rc0 pre-release

0.12.3

0.12.2

0.12.1

0.12.0

0.11.1

0.11.0

0.10.2

0.10.1 yanked

Reason this release was yanked:

Broken build - use 0.10.2

0.10.0

0.9.1

0.9.0

0.8.3

0.8.2

0.8.1

0.8.0

0.7.0

0.6.2

0.6.1

0.6.0

0.5.0

0.4.1

0.4.0

This version

0.3.0

0.2.0

0.1.0

0.0.11

0.0.10

0.0.9

0.0.8

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cyclonedx-python-lib-0.3.0.tar.gz (86.8 kB view details)

Uploaded Source

Built Distribution

cyclonedx_python_lib-0.3.0-py3-none-any.whl (111.6 kB view details)

Uploaded Python 3

File details

Details for the file cyclonedx-python-lib-0.3.0.tar.gz.

File metadata

  • Download URL: cyclonedx-python-lib-0.3.0.tar.gz
  • Upload date:
  • Size: 86.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.7.12

File hashes

Hashes for cyclonedx-python-lib-0.3.0.tar.gz
Algorithm Hash digest
SHA256 193fe5b78f303cc5a992791a32e6385e2a93f34bc941fb70b654527613c17a2d
MD5 58d355189113594872333fa2a0a69acb
BLAKE2b-256 be57f1a0691b0801047c7ec11b884e5c7e0d4371e4bfb39772064007f8b0003f

See more details on using hashes here.

Provenance

File details

Details for the file cyclonedx_python_lib-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: cyclonedx_python_lib-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 111.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.7.12

File hashes

Hashes for cyclonedx_python_lib-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 671b89038a5996826fd8243a35ce05a8ffb73ab1b26023514603e04247880cf3
MD5 1586fb15c4aa0166c2ba5dbe537c6051
BLAKE2b-256 8b31c64cfd7c355640c46ef2ebf8916dcb05ee3bab9c6d6688c05c0356448173

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page