CycloneDX Python SBOM Generation Tool
This project provides a runnable Python-based application for generating CycloneDX bill-of-material documents from either:
- Your current Python Environment
- Your project's manifest (e.g.
Pipfile.lock,poetry.lockorrequirements.txt) - Conda as a Package Manager
The BOM will contain an aggregate of all your current project's dependencies, or those defined by the manifest you supply.
CycloneDX is a lightweight BOM specification that is easily created, human-readable, and simple to parse.
Read the full documentation for more details.
Installation
Install this from PyPi.org using your preferred Python package manager.
Example using pip:
pip install cyclonedx-bomExample using poetry:
poetry add cyclonedx-bomUsage
Call via one of commands:
cyclonedx-py
python3 -m cyclonedx_pyBasic usage
$ cyclonedx-py --help
usage: cyclonedx-py [-h] (-c | -cj | -e | -p | -pip | -r) [-i FILE_PATH]
[--format {json,xml}] [--schema-version {1.4,1.3,1.2,1.1,1.0}]
[-o FILE_PATH] [-F] [-X]
CycloneDX SBOM Generator
optional arguments:
-h, --help show this help message and exit
-c, --conda Build a SBOM based on the output from `conda list
--explicit` or `conda list --explicit --md5`
-cj, --conda-json Build a SBOM based on the output from `conda list
--json`
-e, --e, --environment
Build a SBOM based on the packages installed in your
current Python environment (default)
-p, --p, --poetry Build a SBOM based on a Poetry poetry.lock's contents.
Use with -i to specify absolute path to a `poetry.lock`
you wish to use, else we'll look for one in the
current working directory.
-pip, --pip Build a SBOM based on a PipEnv Pipfile.lock's
contents. Use with -i to specify absolute path to a
`Pipfile.lock` you wish to use, else we'll look for
one in the current working directory.
-r, --r, --requirements
Build a SBOM based on a requirements.txt's contents.
Use with -i to specify absolute path to a
`requirements.txt` you wish to use, else we'll look
for one in the current working directory.
-X Enable debug output
Input Method:
Flags to determine how this tool obtains its input
-i FILE_PATH, --in-file FILE_PATH
File to read input from. Use "-" to read from STDIN.
SBOM Output Configuration:
Choose the output format and schema version
--format {json,xml} The output format for your SBOM (default: xml)
--schema-version {1.4,1.3,1.2,1.1,1.0}
The CycloneDX schema version for your SBOM (default:
1.4)
-o FILE_PATH, --o FILE_PATH, --output FILE_PATH
Output file path for your SBOM (set to '-' to output
to STDOUT)
-F, --force If outputting to a file and the stated file already
exists, it will be overwritten.
-pb, --purl-bom-ref Use a component's PURL for the bom-ref value, instead
of a random UUID
Advanced usage and details
See the full documentation for advanced usage and details on input formats, switches and options.
Python Support
We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.
Contributing
Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.
Copyright & License
CycloneDX BOM is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.