{"id":20617841,"url":"https://github.com/cyclonedx/cyclonedx-python","last_synced_at":"2025-05-16T08:05:37.138Z","repository":{"id":33380140,"uuid":"157659206","full_name":"CycloneDX/cyclonedx-python","owner":"CycloneDX","description":"CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments","archived":false,"fork":false,"pushed_at":"2025-05-12T10:37:49.000Z","size":4072,"stargazers_count":281,"open_issues_count":21,"forks_count":75,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-05-12T10:46:05.215Z","etag":null,"topics":["bill-of-materials","bom","conda","cyclonedx","environment","hacktoberfest","owasp","package-url","pip","poetry","purl","python","python3","requirements","sbom","sbom-generator","sbom-tool","software-bill-of-materials","spdx"],"latest_commit_sha":null,"homepage":"https://cyclonedx.org","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CycloneDX.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":"docs/support.rst","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"]}},"created_at":"2018-11-15T05:53:33.000Z","updated_at":"2025-05-12T10:37:52.000Z","dependencies_parsed_at":"2023-10-25T16:51:47.431Z","dependency_job_id":"b3d31cdf-32e7-45db-81a7-a921cf0d3364","html_url":"https://github.com/CycloneDX/cyclonedx-python","commit_stats":{"total_commits":438,"total_committers":37,"mean_commits":"11.837837837837839","dds":0.8242009132420092,"last_synced_commit":"0181aeb40a23c312d2a2540d106269bb0413cf4c"},"previous_names":[],"tags_count":101,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-python","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-python/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-python/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-python/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CycloneDX","download_url":"https://codeload.github.com/CycloneDX/cyclonedx-python/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254493378,"owners_count":22080126,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","bom","conda","cyclonedx","environment","hacktoberfest","owasp","package-url","pip","poetry","purl","python","python3","requirements","sbom","sbom-generator","sbom-tool","software-bill-of-materials","spdx"],"created_at":"2024-11-16T12:06:09.867Z","updated_at":"2025-05-16T08:05:32.128Z","avatar_url":"https://github.com/CycloneDX.png","language":"Python","readme":"# CycloneDX Python SBOM Generation Tool\n\n[![shield_pypi-version]][link_pypi]\n[![shield_docker-version]][link_docker]\n[![shield_rtfd]][link_rtfd]\n[![shield_gh-workflow-test]][link_gh-workflow-test]\n[![shield_coverage]][link_codacy]\n[![shield_ossf-best-practices]][link_ossf-best-practices]\n[![shield_license]][license_file]  \n[![shield_website]][link_website]\n[![shield_slack]][link_slack]\n[![shield_groups]][link_discussion]\n[![shield_twitter-follow]][link_twitter]\n\n----\n\nThis tool generates Software Bill of material (SBOM) documents in OWASP [CycloneDX](https://cyclonedx.org/) format.  \nThis is probably the most accurate, complete SBOM generator for any python-related projects.\n \nSupported data sources are:\n* Python (virtual) environment\n* `Poetry` manifest and lockfile\n* `Pipenv` manifest and lockfile\n* Pip's `requirements.txt` format\n* `PDM` manifest and lockfile are not explicitly supported.  \n  However, PDM's Python virtual environments are fully supported. See the docs for an example.\n* `uv` manifest and lockfile are not explicitly supported.  \n  However, uv's Python virtual environments are fully supported. See the docs for an example.\n* `Conda` as a package manager is no longer supported since version 4.  \n  However, conda's Python environments are fully supported via the methods listed above. See the docs for an example.\n\nBased on [OWASP Software Component Verification Standard for Software Bill of Materials](https://scvs.owasp.org/scvs/v2-software-bill-of-materials/)'\ncriteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).\n\nThe resulting SBOM documents follow [official specifications and standards](https://github.com/CycloneDX/specification),\nand might have properties following \n[`cdx:python` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/python.md),\n[`cdx:pipenv` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/pipenv.md),\n[`cdx:poetry` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/poetry.md)\n.\n\nRead the full [documentation][link_rtfd] for more details.\n\n## Requirements\n\n* Python `\u003e=3.8,\u003c4`\n\nHowever, there are older versions of this tool available, which\nsupport Python `\u003e=2.7`.\n\n## Installation\n\nInstall this from [Python Package Index (PyPI)][link_pypi] using your preferred Python package manager.\n\ninstall via one of commands:\n\n```shell\npython -m pip install cyclonedx-bom   # install via pip\npipx install cyclonedx-bom            # install via pipx\npoetry add cyclonedx-bom              # install via poetry\nuv tool install cyclonedx-bom         # install via uv\n# ... you get the hang\n```\n\n## Usage\n\nCall via one of commands:\n\n```shell\ncyclonedx-py             # call script\npython3 -m cyclonedx_py  # call python module CLI\n```\n\n### Basic usage\n\n```shellSession\n$ cyclonedx-py --help\nusage: cyclonedx-py [-h] [--version] \u003ccommand\u003e ...\n\nCreates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.\n\npositional arguments:\n  \u003ccommand\u003e\n    environment (env, venv)\n                        Build an SBOM from Python (virtual) environment\n    requirements        Build an SBOM from Pip requirements\n    pipenv              Build an SBOM from Pipenv manifest\n    poetry              Build an SBOM from Poetry project\n\noptions:\n  -h, --help            show this help message and exit\n  --version             show program's version number and exit\n```\n\n### Advanced usage and details\n\nSee the full [documentation][link_rtfd] for advanced usage and details on input formats, switches and options.\n\n## Python Support\n\nWe endeavour to support all functionality for all [current actively supported Python versions](https://www.python.org/downloads/).\nHowever, some features may not be possible/present in older Python versions due to their lack of support.\nHowever, there are older versions of this tool, that support `python\u003e=2.7`.\n\n## Internals\n\nThis tool utilizes the [CycloneDX Python library][cyclonedx-library] to generate the actual data structures, and serialize and validate them.  \n\nThis tool does **not** expose any additional _public_ API or symbols - all code is intended to be internal and might change without any notice during version upgrades.\nHowever, the CLI is stable - you might call it programmatically. See the documentation for an example.\n\n## Contributing\n\nFeel free to open issues, bugreports or pull requests.  \nSee the [CONTRIBUTING][contributing_file] file for details, and how to run/setup locally.\n\n## Copyright \u0026 License\n\nCycloneDX BOM is Copyright (c) OWASP Foundation. All Rights Reserved.  \nPermission to modify and redistribute is granted under the terms of the Apache 2.0 license.  \nSee the [LICENSE][license_file] file for the full license.\n\n[license_file]: https://github.com/CycloneDX/cyclonedx-python/blob/main/LICENSE\n[contributing_file]: https://github.com/CycloneDX/cyclonedx-python/blob/main/CONTRIBUTING.md\n[link_rtfd]: https://cyclonedx-bom-tool.readthedocs.io/\n\n[cyclonedx-library]: https://pypi.org/project/cyclonedx-python-lib\n\n[shield_gh-workflow-test]: https://img.shields.io/github/actions/workflow/status/CycloneDX/cyclonedx-python/python.yml?branch=main\u0026logo=GitHub\u0026logoColor=white \"build\"\n[shield_rtfd]: https://img.shields.io/readthedocs/cyclonedx-bom-tool?logo=readthedocs\u0026logoColor=white \"Read the Docs\"\n[shield_pypi-version]: https://img.shields.io/pypi/v/cyclonedx-bom?logo=Python\u0026logoColor=white\u0026label=PyPI \"PyPI\"\n[shield_docker-version]: https://img.shields.io/docker/v/cyclonedx/cyclonedx-python?logo=docker\u0026logoColor=white\u0026label=docker \"docker\"\n[shield_license]: https://img.shields.io/github/license/CycloneDX/cyclonedx-python?logo=open%20source%20initiative\u0026logoColor=white \"license\"\n[shield_website]: https://img.shields.io/badge/https://-cyclonedx.org-blue.svg \"homepage\"\n[shield_slack]: https://img.shields.io/badge/slack-join-blue?logo=Slack\u0026logoColor=white \"slack join\"\n[shield_groups]: https://img.shields.io/badge/discussion-groups.io-blue.svg \"groups discussion\"\n[shield_twitter-follow]: https://img.shields.io/badge/Twitter-follow-blue?logo=Twitter\u0026logoColor=white \"twitter follow\"\n[shield_coverage]: https://img.shields.io/codacy/coverage/682ceda9a1044832a087afb95ae280fe?logo=Codacy\u0026logoColor=white \"test coverage\"\n[shield_ossf-best-practices]: https://img.shields.io/cii/percentage/7957?label=OpenSSF%20best%20practices \"OpenSSF best practices\"\n\n[link_gh-workflow-test]: https://github.com/CycloneDX/cyclonedx-python/actions/workflows/python.yml?query=branch%3Amain\n[link_pypi]: https://pypi.org/project/cyclonedx-bom/\n[link_docker]: https://hub.docker.com/r/cyclonedx/cyclonedx-python\n[link_codacy]: https://app.codacy.com/gh/CycloneDX/cyclonedx-python\n[link_ossf-best-practices]: https://www.bestpractices.dev/projects/7957\n[link_website]: https://cyclonedx.org/\n[link_slack]: https://cyclonedx.org/slack/invite\n[link_discussion]: https://groups.io/g/CycloneDX\n[link_twitter]: https://twitter.com/CycloneDX_Spec\n","funding_links":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclonedx%2Fcyclonedx-python","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyclonedx%2Fcyclonedx-python","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclonedx%2Fcyclonedx-python/lists"}