This tutorial illustrates how to create an SBOM for Python projects using the CycloneDX-Python CLI and the Jake CLI
-
Python 3
-
Pip
-
Poetry (optional)
-
Pipenv (optional)
To install run:
pip install cyclonedx-bomor
pipx install cyclonedx-bomor
poetry add cyclonedx-bomverify installation by running in the terminal:
cyclonedx-py --helpThe resultant output should be:
usage: cyclonedx-py [-h] [--version] <command> ...
Creates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.
positional arguments:
<command>
environment
Build an SBOM from Python (virtual) environment
requirements
Build an SBOM from Pip requirements
pipenv Build an SBOM from Pipenv manifest
poetry Build an SBOM from Poetry project
options:
-h, --help show this help message and exit
--version show program's version number and exit verifying correct installation.
To install run:
pip install jakeor
poetry add jakeor
pipx install jakeverify installation by running in the terminal:
jake --helpThe resultant output should be:
usage: jake [-h] [-v] [-w] [-X] ...
Put your Python dependencies in a chokehold
optional arguments:
-h, --help show this help message and exit
-v, --version show which version of jake you are running
-w, --warn-only prevents exit with non-zero code when issues have been detected
-X enable debug output
Jake sub-commands:
iq perform a scan backed by Sonatype Nexus Lifecycle
ddt perform a scan backed by OSS Index
sbom generate a CycloneDX software-bill-of-materials (no vulnerabilities)verifying correct installation
Navigate to the Python project in question:
To create an SBOM, run one of the following commands:
Creates SBOMs from Python (virtual) environments
cyclonedx-py environment --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format>or in case on having a virtual environment folder
cyclonedx-py environment --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format> 'path/to/venv'Creates SBOMs from Python requirements.txt files
cyclonedx-py requirements --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format> <requirements.txt-file-name>Creates SBOMs from Poetry projects
cyclonedx-py poetry --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format>cyclonedx-py pipenv --of <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format>To create an SBOM, run the following command:
jake sbom --output-format <sbom-output-format (json or xml)> -o <sbom-output-name>.<sbom-output-format>-
Tests run on Ubuntu 20.04 and Ubuntu 24.04.
-
SBOMs validated using CycloneDX-CLI. Both returned successful.
- Some information such as the project name, version, and type appears to be absent in the CycloneDX-Python generated SBOM.
- Some information such as the project name, version, and type appears to be absent in the Jake generated SBOM.
This section illustrates CycloneDX JSON SBOMs of the PlatformIO Core codebase, created from CycloneDX-Python and Jake.
<title>Pretty JSON Display</title> <style> #json-container { height: 400px; /* Set a fixed height */ overflow-y: auto; /* Enable vertical scrolling */ border: 2px solid #ccc; /* Optional: add a border for visibility */ padding: 10px; } #xml-container { height: 400px; /* Set a fixed height */ overflow-y: auto; /* Enable vertical scrolling */ border: 2px solid #ccc; /* Optional: add a border for visibility */ padding: 10px; } pre { margin: 0; white-space: pre-wrap; word-wrap: break-word; } </style>-
Sonatype-Nexus-Community. (2023). Jake. https://github.com/sonatype-nexus-community/jake
-
CycloneDX. (2023). CycloneDX-Python. https://github.com/CycloneDX/cyclonedx-python
-
CycloneDX. (2023). cyclonedx-cli. https://github.com/CycloneDX/cyclonedx-cli
-
Platformio. (n.d.). GitHub - platformio/platformio-core: Your Gateway to Embedded Software Development Excellence :alien: GitHub. https://github.com/platformio/platformio-core