Usage
Once installed, you can call the tool’s command line interface via the following methods:
cyclonedx-py # call script
python3 -m cyclonedx_py # call python module CLI
The full documentation can be issued by running with --help
:
$ cyclonedx-py --help
usage: cyclonedx-py [-h] [--version] <command> ...
Creates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.
positional arguments:
<command>
environment Build an SBOM from Python (virtual) environment
requirements Build an SBOM from Pip requirements
pipenv Build an SBOM from Pipenv manifest
poetry Build an SBOM from Poetry project
options:
-h, --help show this help message and exit
--version show program's version number and exit
Example usage: save SBOM in CycloneDX 1.6 XML format, generated from current python environment
cyclonedx-py environment --outfile my-sbom.xml --schema-version 1.6 --output-format XML
For Python (virtual) environment
subcommand: environment
This will produce the most accurate and complete CycloneDX BOM as it analyses the actually installed packages. It will include metadata, licenses, dependency graph, and more in the generated CycloneDX SBOM.
The full documentation can be issued by running with environment --help
:
$ cyclonedx-py environment --help
usage: cyclonedx-py environment [-h] [-v]
[--PEP-639] [--gather-license-texts]
[--short-PURLs] [--output-reproducible]
[--validate | --no-validate]
[-o <file>] [--sv <version>] [--of <format>]
[--pyproject <file>] [--mc-type <type>]
[<python>]
Build an SBOM from Python (virtual) environment
positional arguments:
<python> Python interpreter
options:
-h, --help show this help message and exit
--PEP-639 Enable license gathering according to PEP 639 (improving license clarity with better package metadata).
The behavior may change during the draft development of the PEP.
--gather-license-texts
Enable license text gathering.
--pyproject <file> Path to the root component's `pyproject.toml` file.
This should point to a file compliant with PEP 621 (storing project metadata).
--mc-type <type> Type of the main component
{choices: application, firmware, library}
(default: application)
--short-PURLs Omit all qualifiers from PackageURLs.
This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
-o <file>, --outfile <file>
Output file path for your SBOM
(set to "-" to output to STDOUT)
(default: -)
--sv <version>, --schema-version <version>
The CycloneDX schema version for your SBOM
{choices: 1.6, 1.5, 1.4, 1.3, 1.2, 1.1, 1.0}
(default: 1.5)
--of <format>, --output-format <format>
The output format for your SBOM
{choices: JSON, XML}
(default: JSON)
--output-reproducible
Whether to go the extra mile and make the output reproducible.
This might result in loss of time- and random-based-values.
--validate, --no-validate
Whether validate the result before outputting
(default: True)
-v, --verbose Increase the verbosity of messages
(multiple for more effect)
(default: silent)
Examples for macOS/Linux and alike
$ cyclonedx-py environment
$ cyclonedx-py environment '.../some/path/bin/python'
$ cyclonedx-py environment '.../some/path/.venv'
$ cyclonedx-py environment "$VIRTUAL_ENV"
$ cyclonedx-py environment "$(which python3.9)"
$ cyclonedx-py environment "$(conda run which python)"
$ cyclonedx-py environment "$(pipenv --py)"
$ cyclonedx-py environment "$(pipenv --venv)"
$ cyclonedx-py environment "$(poetry env info --executable)"
$ cyclonedx-py environment "$(pdm info --python)"
Examples for Windows
> cyclonedx-py environment
> cyclonedx-py environment "...\some\path\bin\python.exe"
> cyclonedx-py environment "...\some\path\.venv"
> cyclonedx-py environment "$env:VIRTUAL_ENV"
> cyclonedx-py environment %VIRTUAL_ENV%
> where.exe python3.9.exe
> cyclonedx-py environment "%path-to-specific-python%"
> conda.exe run where.exe python
> cyclonedx-py environment "%path-to-conda-python%"
> pipenv.exe --py
> pipenv.exe --venv
> cyclonedx-py environment "%path-to-pipenv-python%"
> poetry.exe env info --executable
> cyclonedx-py environment "%path-to-poetry-python%"
> pdm.exe info --python
> cyclonedx-py environment "%path-to-pdm-python%"
For Pipenv
subcommand: pipenv
Support for Pipenv dependency management.
This requires parsing your Pipfile
and Pipfile.lock
file which details exact pinned versions of dependencies.
The full documentation can be issued by running with pipenv --help
:
$ cyclonedx-py pipenv --help
usage: cyclonedx-py pipenv [-h] [-v]
[--short-PURLs] [--output-reproducible]
[--validate | --no-validate]
[-o <file>] [--sv <version>] [--of <format>]
[--categories <categories>] [-d]
[--pypi-mirror <url>]
[--pyproject <file>] [--mc-type <type>]
[<project-directory>]
Build an SBOM from Pipenv manifest.
The options and switches mimic the respective ones from Pipenv CLI.
positional arguments:
<project-directory> The project directory for Pipenv
(default: current working directory)
Unlike Pipenv tool, there is no search-up in this very tool. Please
provide the actual directory that contains `Pipfile` and `Pipfile.lock` file.
options:
-h, --help show this help message and exit
--categories <categories>
-d, --dev Analyse both develop and default packages
[env var: PIPENV_DEV]
--pypi-mirror <url> Specify a PyPI mirror
[env var: PIPENV_PYPI_MIRROR]
--pyproject <file> Path to the root component's `pyproject.toml` file.
This should point to a file compliant with PEP 621 (storing project metadata).
--mc-type <type> Type of the main component
{choices: application, firmware, library}
(default: application)
--short-PURLs Omit all qualifiers from PackageURLs.
This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
-o <file>, --outfile <file>
Output file path for your SBOM
(set to "-" to output to <stdout>)
(default: -)
--sv <version>, --schema-version <version>
The CycloneDX schema version for your SBOM
{choices: 1.6, 1.5, 1.4, 1.3, 1.2, 1.1, 1.0}
(default: 1.5)
--of <format>, --output-format <format>
The output format for your SBOM
{choices: JSON, XML}
(default: JSON)
--output-reproducible
Whether to go the extra mile and make the output reproducible.
This might result in loss of time- and random-based-values.
--validate, --no-validate
Whether validate the result before outputting
(default: True)
-v, --verbose Increase the verbosity of messages
(multiple for more effect)
(default: silent)
For Poetry
subcommand: poetry
Support for Poetry dependency management and package manifest.
This requires parsing your pyproject.toml
and poetry.lock
file which details exact pinned versions of dependencies.
The full documentation can be issued by running with poetry --help
:
$ cyclonedx-py poetry --help
usage: cyclonedx-py poetry [-h] [-v]
[--short-PURLs] [--output-reproducible]
[--validate | --no-validate]
[-o <file>] [--sv <version>] [--of <format>]
[--without GROUPS] [--with GROUPS] [--only <groups> | --no-dev]
[-E EXTRAS | --all-extras]
[--mc-type <type>]
[<project-directory>]
Build an SBOM from Poetry project.
The options and switches mimic the respective ones from Poetry CLI.
positional arguments:
<project-directory> The project directory for Poetry
(default: current working directory)
options:
-h, --help show this help message and exit
--without GROUPS The dependency groups to ignore
(multiple values allowed)
--with GROUPS The optional dependency groups to include
(multiple values allowed)
--only GROUPS The only dependency groups to include
(multiple values allowed)
--no-dev Alias for: --only main
-E EXTRAS, --extras EXTRAS
Extra sets of dependencies to include
(multiple values allowed)
--all-extras Include all extra dependencies
(default: False)
--mc-type <type> Type of the main component
{choices: application, firmware, library}
(default: application)
--short-PURLs Omit all qualifiers from PackageURLs.
This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
-o <file>, --outfile <file>
Output file path for your SBOM
(set to "-" to output to <stdout>)
(default: -)
--sv <version>, --schema-version <version>
The CycloneDX schema version for your SBOM
{choices: 1.6, 1.5, 1.4, 1.3, 1.2, 1.1, 1.0}
(default: 1.5)
--of <format>, --output-format <format>
The output format for your SBOM
{choices: JSON, XML}
(default: JSON)
--output-reproducible
Whether to go the extra mile and make the output reproducible.
This might result in loss of time- and random-based-values.
--validate, --no-validate
Whether validate the result before outputting
(default: True)
-v, --verbose Increase the verbosity of messages
(multiple for more effect)
(default: silent)
For Pip requirements
subcommand: requirements
Support for Pip’s requirements file format dependency lists.
The full documentation can be issued by running with requirements --help
:
$ cyclonedx-py requirements --help
usage: cyclonedx-py requirements [-h] [-v]
[--short-PURLs] [--output-reproducible]
[--validate | --no-validate]
[-o <file>] [--sv <version>] [--of <format>]
[-i <url>] [--extra-index-url <url>]
[--pyproject <file>] [--mc-type <type>]
[<requirements-file>]
Build an SBOM from Pip requirements.
The options and switches mimic the respective ones from Pip CLI.
positional arguments:
<requirements-file> Path to requirements file.
May be set to "-" to read from <stdin>.
(default: 'requirements.txt' in current working directory)
options:
-h, --help show this help message and exit
-i <url>, --index-url <url>
Base URL of the Python Package Index.
This should point to a repository compliant with PEP 503 (the simple repository API)
or a local directory laid out in the same format.
(default: https://pypi.org/simple)
--extra-index-url <url>
Extra URLs of package indexes to use in addition to --index-url.
Should follow the same rules as --index-url
--pyproject <file> Path to the root component's `pyproject.toml` file.
This should point to a file compliant with PEP 621 (storing project metadata).
--mc-type <type> Type of the main component
{choices: application, firmware, library}
(default: application)
--short-PURLs Omit all qualifiers from PackageURLs.
This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
-o <file>, --outfile <file>
Output file path for your SBOM
(set to "-" to output to <stdout>)
(default: -)
--sv <version>, --schema-version <version>
The CycloneDX schema version for your SBOM
{choices: 1.6, 1.5, 1.4, 1.3, 1.2, 1.1, 1.0}
(default: 1.5)
--of <format>, --output-format <format>
The output format for your SBOM
{choices: JSON, XML}
(default: JSON)
--output-reproducible
Whether to go the extra mile and make the output reproducible.
This might result in loss of time- and random-based-values.
--validate, --no-validate
Whether validate the result before outputting
(default: True)
-v, --verbose Increase the verbosity of messages
(multiple for more effect)
(default: silent)
Example Usage
$ cyclonedx-py requirements requirements-prod.txt
$ cat requirements/*.txt | cyclonedx-py requirements -
$ python -m pip freeze --all | cyclonedx-py requirements -
$ conda run python -m pip freeze --all | cyclonedx-py requirements -
$ .../.venv/bin/python -m pip freeze --all --local --require-virtualenv |\
cyclonedx-py requirements -
$ python -m pip install -r dependencies.txt &&\
python -m pip freeze | cyclonedx-py requirements -
For PDM
Support for PDM manifest and lockfile is not explicitly implemented, yet. See https://github.com/CycloneDX/cyclonedx-python/issues/604
However, since PDM utilizes Python virtual environments under the hood, it is possible to use the functionality for Python (virtual) environments as described above.
For Conda
Conda is a package manager for all kinds on environments.
However, since conda might manage a python environment under the hood, it is possible to use the functionality for Python (virtual) environments as described above.
Programmatic Usage
This tool utilizes the CycloneDX Python library to generate the actual data structures, and serialize and validate them.
This tool does not expose any additional public API or symbols - all code is intended to be internal and might change without any notice during version upgrades.
However, the CLI is stable - you might call it programmatically, like so:
from sys import executable
from subprocess import run
run((executable, '-m', 'cyclonedx_py', '--help'))