Python library for generating CycloneDX SBOMs

Related tags

Miscellaneouspythonpython-libraryowasppipbomspdxbill-of-materialssoftware-bill-of-materialspurlpackage-urlsbomcyclonedx
Overview

Python Library for generating CycloneDX

GitHub Workflow Status Python Version Support PyPI Version GitHub license GitHub issues GitHub forks GitHub stars

This CycloneDX module for Python can generate valid CycloneDX bill-of-material document containing an aggregate of all project dependencies.

This module is not designed for standalone use. If you're looking for a CycloneDX tool to run to generate (SBOM) software bill-of-materials documents, why not checkout:

Additionally, the following tool can be used as well (and this library was written to help improve it)

Additionally, you can use this module yourself in your application to programmatically generate SBOMs.

CycloneDX is a lightweight BOM specification that is easily created, human-readable, and simple to parse.

Installation

Install from pypi.org as you would any other Python module:

pip install cyclonedx-python-lib

Architecture

This module break out into three key areas:

  1. Parser: Use a parser that suits your needs to automatically gather information about your environment or application
  2. Model: Internal models used to unify data from different parsers
  3. Output: Choose and configure an output which allows you to define output format as well as the CycloneDX schema version

Parsing

You can use one of the parsers to obtain information about your project or environment. Available parsers:

Parser Class / Import Description
Environment from cyclonedx.parser.environment import EnvironmentParser Looks at the packaged installed in your current Python environment.
PoetryParser from cyclonedx.parser.poetry import PoetryParser Parses poetry.lock content passed in as a string.
PoetryFileParser from cyclonedx.parser.poetry import PoetryFileParser Parses the poetry.lock file at the supplied path.
RequirementsParser from cyclonedx.parser.requirements import RequirementsParser Parses a multiline string that you provide that conforms to the requirements.txt PEP-508 standard.
RequirementsFileParser from cyclonedx.parser.requirements import RequirementsFileParser Parses a file that you provide the path to that conforms to the requirements.txt PEP-508 standard.

Example

from cyclonedx.parser.environment import EnvironmentParser

parser = EnvironmentParser()

Modelling

You can create a BOM Model from either an Parser instance or manually using the methods avaialbel directly on the Bom class.

Example from a Parser

from cyclonedx.model.bom import Bom
from cyclonedx.parser.environment import EnvironmentParser

parser = EnvironmentParser()
bom = Bom.from_parser(parser=parser)

Generating Output

Once you have an instance of a Bom you can produce output in either JSON or XML against any of the supporting CycloneDX schema versions as you require.

We provide two helper methods:

  1. Output to string (for you to do with as you require)
  2. Output directly to a filename you provide
Example as JSON
from cyclonedx.output import get_instance, OutputFormat

outputter = get_instance(bom=bom, output_format=OutputFormat.JSON)
outputter.output_as_string()
Example as XML
from cyclonedx.output import get_instance, SchemaVersion

outputter = get_instance(bom=bom, schema_version=SchemaVersion.V1_2)
outputter.output_to_file(filename='/tmp/sbom-v1.2.xml')

Schema Support

This library is a work in progress and complete support for all parts of the CycloneDX schema will come in future releases.

Here is a summary of the parts of the schema supported by this library:

Note: We refer throughout using XPath, but the same is true for both XML and JSON output formats.

XPath Support v1.3 Support v1.2 Support v1.1 Support v1.0 Notes
/bom Y Y Y Y This is the root element and is supported with all it's defined attributes.
/bom/metadata Y Y N/A N/A Only timestamp is currently supported
/bom/components Y Y Y Y  
/bom/components/component
./author Y Y N/A N/A  
./name Y Y Y Y  
./version Y Y Y Y  
./purl Y Y Y Y  

Notes on Schema Support

  1. N/A is where the CycloneDX standard does not include this
  2. If the table above does not refer to an element, it is not currently supported

Python Support

We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.

Changelog

See our CHANGELOG.

Copyright & License

CycloneDX Python Lib is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.

Comments
  • Can some of the runtime dependencies be loosened?

    Can some of the runtime dependencies be loosened?

    Thanks for this!

    I know poetry makes it easy lock every little thing down, and it makes testing easier, higher assurance, yadda yadda, but practically, it's quite inflexible when the effective ranges are very small... and on a self-declared lib to boot.

    Specifically, hooray for declaring a setuptools dependency: so many pkgutils-using packages forget to.

    However the size of the range covered by setuptools ^50.3.2 makes it relatively hard to appease (as in: exactly 1 version).

    Selfishly, this is blocking me downstream in packaging this and ultimately jake 1.x for conda-forge.

    The same goes for importlib_metadata which unfortunately gets pinned in a number of packages, and seems to change a lot for a backport package.

    Anyhow: would the maintainers be open to a PR that:

    • loosened the range of e.g. setuptools to be something more like >=50.3.2,<59
    • added a CI test excursion for the lowest and highest bound

    In the meantime, I may try patching the pin over on conda-forge and running the full test suite...

    enhancement dependencies 
    opened by bollwyvl 23
  • 2.5.0 regression: `SortedSet` assumes comparability of members, but `Vulnerability` model is not comparable

    2.5.0 regression: `SortedSet` assumes comparability of members, but `Vulnerability` model is not comparable

    Hi there! Thanks a ton for this library.

    We currently use it to generate SBOMs in pip-audit, and I noticed an interested regression upon upgrading to 2.5.0: it looks like Component.add_vulnerability attempts to add the underlying Vulnerability model to a SortedSet, which in turn fails because Vulnerability doesn't appear to implement the standard comparable operators (e.g. __lt__).

    Here's the failing code on our side, which worked in 2.4.0:

            for (dep, vulns) in result.items():
            if dep.is_skipped():
                continue
            dep = cast(service.ResolvedDependency, dep)

            c = Component(name=dep.name, version=str(dep.version))
            for vuln in vulns:
                c.add_vulnerability(
                    Vulnerability(
                        id=vuln.id,
                        description=vuln.description,
                        recommendation="Upgrade",
                    )
                )

            self._components.append(c)

    and the failing CI tests on 2.5.0: https://github.com/trailofbits/pip-audit/runs/6832431942?check_suite_focus=true

    In my estimation, this looks like a bug/regression, rather than a SemVer breakage -- the Vulnerability model also comes from CycloneDX, so it probably should have been made comparable at the same time that comparability was assumed by introducing SortedSet.

    xref https://github.com/trailofbits/pip-audit/pull/292

    opened by woodruffw 17
  • [FEATURE] Support for version 1.4 schema

    [FEATURE] Support for version 1.4 schema

    Creating issue to track adoption of the forthcoming version 1.4 schema specification for CycloneDX.

    Preview work can be seen here, but this IS NOT FINAL.

    Current estimates are that version 1.4 will be finalised late 2021, early 2022.

    enhancement schema 1.4 
    opened by madpah 14
  • feat: use `SortedSet` in model to improve reproducibility

    feat: use `SortedSet` in model to improve reproducibility

    Added __lt__() to all model classes used in SortedSet, with tests Explicitly declared Enums as (str, Enum) to allow sorting Added dependency to sortedcollections package Added ComparableTuple to make sorting compound objects easier

    Signed-off-by: Rodney Richardson [email protected]

    opened by RodneyRichardson 11
  • [BUG] Nested Components or Services breaks BOM validation

    [BUG] Nested Components or Services breaks BOM validation

    The schema documents suggest that components can be nested inside other components (i.e. for/with hierarchical merging).

    Hoewever, if I try to generate such a bom an exception is raised in the validate method here: https://github.com/CycloneDX/cyclonedx-python-lib/blob/6e12be70fb2a71de60428155b4d0ae82fa43ef2d/cyclonedx/model/bom.py#L384 The reason for that is, because nested bom_refs underneath other components are not found by the implementation inside validate.

    Am I misunderstanding the schema or is this missing from the validation?

    bug 
    opened by peschuster 9
  • [FEATURE] option to generate reproducible output

    [FEATURE] option to generate reproducible output

    I would like the tool to create exactly the same output if I run it on the same (Pipfile.lock) input file twice. This would make it easier to detect changes over time.

    There are several places where the outputs differ:

    1. The bom-ref is a GUID, newly generated on each run. This could be the purl (as cyclonedx-dotnet appears to do).
    2. The order of externalReferences is not maintained.
    3. The order of components/libraries is not maintained.
    enhancement 
    opened by RodneyRichardson 9
  • feat(deps): remove unused `typing-extensions` constraints

    feat(deps): remove unused `typing-extensions` constraints

    To be able to use new types, which will be introduced in Python 3.11, the package version shouldn't be pinned to 3.10.x and the package can be installed with any Python version, because you can't know, what the user will use. Here is the official explanation on version pinning

    Starting with version 4.0.0, typing_extensions uses Semantic Versioning. The major version is incremented for all backwards-incompatible changes. Therefore, it’s safe to depend on typing_extensions like this: typing_extensions >=x.y, <(x+1), where x.y is the first version that includes all features you need.

    opened by gruebel 9
  • fix: type hint for get_component_by_purl is incorrect

    fix: type hint for get_component_by_purl is incorrect

    Signed-off-by: gruebel [email protected]

    • adjusted the type hint for get_component_by_purl and added a test for it πŸ™‚
    • changed the list/filter expression to use a list comprehension, which is almost 2x faster in this case πŸš€
    bug 
    opened by gruebel 8
  • [FEATURE] SPDX License factory

    [FEATURE] SPDX License factory

    have a license factory, a thing that i feed a string and that returns the appropriate license model: expression, named license, spdx license.

    required for

    • https://github.com/CycloneDX/cyclonedx-python/discussions/377
    • https://github.com/CycloneDX/cyclonedx-python/issues/378

    as a contrast implementation of https://github.com/CycloneDX/cyclonedx-python/pull/410

    solution ala

    • https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/src/factories/license.ts
    • https://github.com/CycloneDX/cyclonedx-php-library/blob/master/src/Core/Factories/LicenseFactory.php
    enhancement 
    opened by jkowalleck 7
  • Documentation is failing to build and publish since #93 was merged

    Documentation is failing to build and publish since #93 was merged

    See https://github.com/CycloneDX/cyclonedx-python-lib/runs/4595932920?check_suite_focus=true.

    This appears to be the case since #93 was merged.

    FYI: @jkowalleck

    documentation CI 
    opened by madpah 7
  • feat: add option to assign a UUID in `BOM` constructor

    feat: add option to assign a UUID in `BOM` constructor

    Mainly the BOM receives a newly generated uuid assigned on the fly. This is basically a fix to enable passing an optional parameter within the constructor to be used as the uuid.

    enhancement 
    opened by hakandilek 6
  • chore(deps): bump Gr1N/setup-poetry from 7 to 8

    chore(deps): bump Gr1N/setup-poetry from 7 to 8

    Bumps Gr1N/setup-poetry from 7 to 8.

    Release notes

    Sourced from Gr1N/setup-poetry's releases.

    v8

    • Action updated to use Node 16
    • Support for Python 3.10 and 3.11
    • Breaking Change, removed support for Python 3.6
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • feat: add support for python 3.11

    feat: add support for python 3.11

    the library supports python 3.11 in general.

    • [ ] add py 311 support to tox
    • [ ] add py 311 support to GH workflows
    • [ ] add py 311 support to trove classifiers
    documentation enhancement CI CT 
    opened by jkowalleck 0
  • chore(deps): bump relekang/python-semantic-release from 7.31.2 to 7.32.2

    chore(deps): bump relekang/python-semantic-release from 7.31.2 to 7.32.2

    Bumps relekang/python-semantic-release from 7.31.2 to 7.32.2.

    Release notes

    Sourced from relekang/python-semantic-release's releases.

    v7.32.2

    Fix

    • Fix changelog generation in tag-mode (#171) (482a62e)

    Documentation

    v7.32.1

    Fix

    • Corrections for deprecation warnings (#505) (d47afb6)

    Documentation

    v7.32.0

    Feature

    • Add setting for enforcing textual changelog sections (#502) (988437d)

    Documentation

    • Correct documented default behaviour for commit_version_number (#497) (ffae2dc)

    v7.31.4

    Fix

    • Account for trailing newlines in commit messages (#495) (111b151)

    v7.31.3

    Fix

    • Use commit_subject when searching for release commits (#488) (3849ed9)
    Changelog

    Sourced from relekang/python-semantic-release's changelog.

    v7.32.2 (2022-10-22)

    Fix

    • Fix changelog generation in tag-mode (#171) (482a62e)

    Documentation

    v7.32.1 (2022-10-07)

    Fix

    • Corrections for deprecation warnings (#505) (d47afb6)

    Documentation

    v7.32.0 (2022-09-25)

    Feature

    • Add setting for enforcing textual changelog sections (#502) (988437d)

    Documentation

    • Correct documented default behaviour for commit_version_number (#497) (ffae2dc)

    v7.31.4 (2022-08-23)

    Fix

    • Account for trailing newlines in commit messages (#495) (111b151)

    v7.31.3 (2022-08-22)

    Fix

    • Use commit_subject when searching for release commits (#488) (3849ed9)
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • The resolves entries of a Patch object are not serialized to XML

    The resolves entries of a Patch object are not serialized to XML

    When a BOM is created that has Patch objects with a non empty resolves property, the Issues are ignored and do not appear in the output.

    The resolves property stored in a ReleaseNote object is already correctly serialized, so it is just a matter of some code reuse.

    See: https://github.com/CycloneDX/cyclonedx-python-lib/pull/312 for a patch and test.

    opened by schlenk 0
Releases(v3.1.1)
Owner
CycloneDX SBOM Standard
CycloneDX is a lightweight Software Bill of Materials (SBOM) standard, purpose-built for cybersecurity use cases. CycloneDX is a OWASP Flagship Project.
CycloneDX SBOM Standard
GitHub Repository https://cyclonedx.org/
γ€ŒπŸ“–γ€Tool created to extract metadata from a domain

Metafind is an OSINT tool created with the aim of automating the search for metadata of a particular domain from the search engine known as Google.

9 Dec 28, 2022
It is a personal assistant chatbot, capable to perform many tasks same as Google Assistant plus more extra features...

PersonalAssistant It is an Personal Assistant, capable to perform many tasks with some unique features, that you haven'e seen yet.... Features / Tasks

Roshan Kumar 95 Dec 21, 2022
A Curated Collection of Awesome Python Scripts

A Curated Collection of Awesome Python Scripts that will make you go wow. This repository will help you in getting those green squares. Hop in and enjoy the journey of open source. πŸš€

Prathima Kadari 248 Dec 31, 2022
VCC-Generator is a python script that generate VCC for testing purposes only

VCC-Generator is a python script that generate VCC for testing purposes only

Spider Anongreyhat 10 Oct 23, 2022
All Assignments , Test , Quizzes and Exams with solutions from NIT Patna B.Tech CSE 5th Semester.

A 🌟 to repo would be delightful, just do it βœ”οΈ it is inexpensive. All Assignments , Quizzes and Exam papers at one place with clean and elegant solut

LakhanKumawat ᡖ⁺ 16 Dec 05, 2022
Bad Apple printed out on the console with Python!

bad-apple Bad Apple printed out on the console with Python! Preface A word of disclaimer, while the final code is somewhat original, this project is a

CalvinLoke 186 Dec 01, 2022
DSG - Source code for Digital Scholarship Grant project.

DSG Source code for Dr. Stephanie Tsang's Digital Scholarship Grant project. Work performed by Mr. Wang Minghao while as her Research Assistant. The s

1 Jan 04, 2022
Bionic is Python Framework for crafting beautiful, fast user experiences for web and is free and open source.

Bionic is Python Framework for crafting beautiful, fast user experiences for web and is free and open source. Getting Started This is an example of ho

14 Apr 10, 2022
A python script to get your activity

activities A python script to get your activity Not complete Requirements Python (=3.7) Pip (for python = 3.7) Git Pip packages psutil asyncio aioht

StarNumber 3 Nov 07, 2021
A simple calculator made with tkinter.

Simple Calculator A simple calculator made with tkinter. Requirements None, only you need to have windows πŸ˜‰ ...Enjoy! Installation Clone this reposit

Abhyush 2 Jan 11, 2022
A python program for rick rolling people.

Rickware A python program for rick rolling people. (And annoying them too) What is rick roll? Read this wikipedia article - Rickrolling About program

2 Jan 18, 2022
This is a working model for which I have used python.

Jarvis_voiceAssistance This is a working model for which I have used python. This model can: 1)Play a video or song on youtube. 2)Tell us time. 3)Tell

Hardik Jain 1 Jan 30, 2022
Paprika is a python library that reduces boilerplate. Heavily inspired by Project Lombok.

Image courtesy of Anna Quaglia (Photographer) Paprika Paprika is a python library that reduces boilerplate. It is heavily inspired by Project Lombok.

Rayan Hatout 55 Dec 26, 2022
Easy, clean, reliable Python 2/3 compatibility

Overview: Easy, clean, reliable Python 2/3 compatibility python-future is the missing compatibility layer between Python 2 and Python 3. It allows you

Python Charmers 1.2k Jan 08, 2023
Ultimate Score Server for RealistikOsu

USSR Ultimate Score Server for RealistikOsu (well not just us but it makes the acronym work.) Also I wonder how long this name will last. What is this

RealistikOsu! 15 Dec 14, 2022
The most widely used Python to C compiler

Welcome to Cython! Cython is a language that makes writing C extensions for Python as easy as Python itself. Cython is based on Pyrex, but supports mo

7.6k Jan 03, 2023
An Embedded Linux Project Build and Compile Tool -- An Bitbake UI Extension

Dianshao - An Embedded Linux Project Build and Compile Tool

0 Mar 27, 2022
Python library for the analysis of dynamic measurements

Python library for the analysis of dynamic measurements The goal of this library is to provide a starting point for users in metrology and related are

Physikalisch-Technische Bundesanstalt - Department 9.4 'Metrology for the digital Transformation' 18 Dec 21, 2022
Mpis-ex7 - Implementation of tasks 1, 2, 3 for Metody Probabilistyczne i Statystyka Lista 7

Implementations of task 1, 2 and 3 from here Author: Maciej Bazela Index: 261743 Each task was implemented in Python 3. I've used Cython to speed up e

Maciej Bazela 1 Feb 27, 2022
Modelling the 30 salamander problem from `Pure Mathematics` by Martin Liebeck

Salamanders on an island The Problem From A Concise Introduction to Pure Mathematics By Martin Liebeck Critic Ivor Smallbrain is watching the horror m

Faisal Jina 1 Jul 10, 2022