SBOMgen
Creating SBOMs from Python Projects
Introduction
This tutorial illustrates how to create an SBOM for Python projects using the CycloneDX-Python CLI and the Jake CLI
Requirements
-
Python 3
-
Pip
-
Poetry (optional)
-
Pipenv (optional)
Installation
CycloneDX-Python
To install run:
pip install cyclonedx-bom
or
pipx install cyclonedx-bom
or
poetry add cyclonedx-bom
verify installation by running in the terminal:
cyclonedx-py --help
The resultant output should be:
usage: cyclonedx-py [-h] [--version] <command> ...
Creates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.
positional arguments:
<command>
environment
Build an SBOM from Python (virtual) environment
requirements
Build an SBOM from Pip requirements
pipenv Build an SBOM from Pipenv manifest
poetry Build an SBOM from Poetry project
options:
-h, --help show this help message and exit
--version show program's version number and exit
verifying correct installation.
Jake
To install run:
pip install jake
or
poetry add jake
or
pipx install jake
verify installation by running in the terminal:
jake --help
The resultant output should be:
usage: jake [-h] [-v] [-w] [-X] ...
Put your Python dependencies in a chokehold
optional arguments:
-h, --help show this help message and exit
-v, --version show which version of jake you are running
-w, --warn-only prevents exit with non-zero code when issues have been detected
-X enable debug output
Jake sub-commands:
iq perform a scan backed by Sonatype Nexus Lifecycle
ddt perform a scan backed by OSS Index
sbom generate a CycloneDX software-bill-of-materials (no vulnerabilities)
verifying correct installation
Usage
Navigate to the Python project in question:
CycloneDX-Python
To create an SBOM, run one of the following commands:
Environment (recommended)
Creates SBOMs from Python (virtual) environments
cyclonedx-py environment --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format>
or in case on having a virtual environment folder
cyclonedx-py environment --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format> 'path/to/venv'
Requirements.txt
Creates SBOMs from Python requirements.txt files
cyclonedx-py requirements --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format> <requirements.txt-file-name>
Poetry
Creates SBOMs from Poetry projects
cyclonedx-py poetry --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format>
Pipenv
cyclonedx-py pipenv --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format>
Jake
To create an SBOM, run the following command:
jake sbom --output-format <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format>
Notes
-
Tests run on Ubuntu 20.04 and Ubuntu 24.04.
-
SBOMs validated using CycloneDX-CLI. Both returned successful.
CycloneDX-Python
- Some information such as the project name, version, and type appears to be absent in the CycloneDX-Python generated SBOM.
Jake
- Some information such as the project name, version, and type appears to be absent in the Jake generated SBOM.
Example SBOM
This section illustrates CycloneDX JSON SBOMs of the PlatformIO Core codebase, created from CycloneDX-Python and Jake.
PlatformIO-Core (CycloneDX-Python)
PlatformIO-Core (Jake)
References
-
Sonatype-Nexus-Community. (2023). Jake. https://github.com/sonatype-nexus-community/jake
-
CycloneDX. (2023). CycloneDX-Python. https://github.com/CycloneDX/cyclonedx-python
-
CycloneDX. (2023). cyclonedx-cli. https://github.com/CycloneDX/cyclonedx-cli
-
Platformio. (n.d.). GitHub - platformio/platformio-core: Your Gateway to Embedded Software Development Excellence :alien: GitHub. https://github.com/platformio/platformio-core