CycloneDX SBOM Generation Tool for Python
This tool generates Software Bill of material (SBOM) documents in OWASP CycloneDX format.
Supported data sources are:
Python (virtual) environment
Poetry manifest and lockfile
Pipenv manifest and lockfile
Pip’s requirements file format format
PDM manifest and lockfile support is not implemented, yet. However, PDM’s Python virtual environments are fully supported. See the docs for an example.
Conda as a package manager is no longer supported since version 4. However, conda’s Python environments are fully supported via the methods listed above. See the docs for an example.
Based on OWASP Software Component Verification Standard for Software Bill of Materials’s criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
The resulting SBOM documents follow official specifications and standards, and might have properties following the Namespace Taxonomies cdx:python, cdx:pipenv, cdx:poetry.