CycloneDX SBOM Generation Tool for Python

This tool generates Software Bill of material (SBOM) documents in OWASP CycloneDX format.

Supported data sources are:

• Python (virtual) environment

• Poetry manifest and lockfile

• Pipenv manifest and lockfile

• Pip’s requirements file format format

• PDM manifest and lockfile support is not implemented, yet. However, PDM’s Python virtual environments are fully supported. See the docs for an example.

• Conda as a package manager is no longer supported since version 4. However, conda’s Python environments are fully supported via the methods listed above. See the docs for an example.

Based on OWASP Software Component Verification Standard for Software Bill of Materials’s criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).

The resulting SBOM documents follow official specifications and standards, and might have properties following the Namespace Taxonomies cdx:python, cdx:pipenv, cdx:poetry.

Contents:

• Installation
• Usage
  • For Python (virtual) environment
  • For Pipenv
  • For Poetry
  • For Pip requirements
  • For PDM
  • For Conda
  • Programmatic Usage
• Contributing
  • Setup
  • Code style
  • Documentation
  • Testing
  • Sign off your commits
• Support
• Python support
• Changelog
  • CHANGELOG
  • Conflicts:
  • tests/test_parser_requirements.py
• Upgrading to v4
  • Python support
  • Entry points
  • Changed Command Line Interface (CLI)
  • Removed API