Skip to content

Add SBOM export support #16523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 38 commits into
base: main
Choose a base branch
from
Open

Add SBOM export support #16523

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
1696779
Split out pip compile format options into new enum
thomasschafer Sep 22, 2025
4d0ef5f
Add CDX export format with empty JSON export
thomasschafer Sep 22, 2025
8f92ae2
Export CDX with CDX metadata
snyk-will Sep 23, 2025
2c9c89b
Add CDX initial metadata and component list
snyk-will Sep 23, 2025
d77cd48
Add test for basic CDX export
snyk-will Sep 23, 2025
16417d0
Add tooling metadata field
snyk-will Sep 23, 2025
4366a78
Add dependency tree to CDX output
snyk-will Sep 24, 2025
27cd96f
Tidy up dependency building and imports
thomasschafer Sep 24, 2025
c93a561
Add tests for git deps and no deps
thomasschafer Sep 24, 2025
39dcf14
Update docs
thomasschafer Sep 24, 2025
b4e7f12
Add workspace information
thomasschafer Oct 15, 2025
6c104db
Fix linting errors
thomasschafer Sep 24, 2025
9c1d8e5
Update component lookup
thomasschafer Oct 16, 2025
035a2b6
Move PipCompileFormat into export_format.rs
thomasschafer Sep 25, 2025
d4713d7
Add markers
thomasschafer Oct 16, 2025
47d1e8c
Update comments and return &str for package name
thomasschafer Sep 25, 2025
1463244
Replace python:environment_marker with uv:marker
thomasschafer Oct 17, 2025
6b5b0a9
Add purl encoding
thomasschafer Sep 29, 2025
7ec589f
More fixes to properties
thomasschafer Oct 19, 2025
aeee5f0
Add more tests
thomasschafer Sep 29, 2025
1468a3c
Merge pull request #5 from thomasschafer/sbom-export-support-2
thomasschafer Oct 27, 2025
a2bdaab
Guard sbom export behind preview flag
thomasschafer Oct 27, 2025
3076292
docs: uv export documentation
snyk-will Oct 27, 2025
b177df3
Update `cdx:python:package:marker` to `uv:package:marker`
thomasschafer Oct 28, 2025
3d837b6
chore: add preview message
snyk-will Oct 29, 2025
668d4bd
Update comment
thomasschafer Oct 29, 2025
c034c51
fix: resolve conflicts after rebasing
thomasschafer Oct 30, 2025
b425384
Skip conflict detection for SBOMs
thomasschafer Oct 29, 2025
1676f8a
Add preview link to note
thomasschafer Oct 30, 2025
858ddbb
Merge pull request #6 from thomasschafer/sbom-export-docs
thomasschafer Oct 30, 2025
e6bfed1
Refactor component map
thomasschafer Oct 30, 2025
7230fcc
Insert synthetic root when using `--all-packages` flag
thomasschafer Oct 30, 2025
a18265b
Fix linting and tests
thomasschafer Oct 30, 2025
e465f6d
Use pypi rather than generic purl type, and naming updates
thomasschafer Oct 31, 2025
1250054
Implement Copy on PackageType
thomasschafer Oct 31, 2025
1be75c9
Replace `write_fmt` with `Write` implementation
thomasschafer Oct 31, 2025
aa9024c
Return error rather than panicking for non-local workspace packages
thomasschafer Nov 5, 2025
c6448e2
Swap anyio with urllib3 in cyclonedx snapshot tests
thomasschafer Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
159 changes: 158 additions & 1 deletion Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ configparser = { version = "3.1.0" }
console = { version = "0.16.0", default-features = false, features = ["std"] }
csv = { version = "1.3.0" }
ctrlc = { version = "3.4.5" }
cyclonedx-bom = { version = "0.8.0" }
dashmap = { version = "6.1.0" }
data-encoding = { version = "2.6.0" }
dotenvy = { version = "0.15.7" }
Expand Down
8 changes: 4 additions & 4 deletions crates/uv-cli/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ use clap::{Args, Parser, Subcommand};
use uv_auth::Service;
use uv_cache::CacheArgs;
use uv_configuration::{
ExportFormat, IndexStrategy, KeyringProviderType, PackageNameSpecifier, ProjectBuildBackend,
TargetTriple, TrustedHost, TrustedPublishing, VersionControlSystem,
ExportFormat, IndexStrategy, KeyringProviderType, PackageNameSpecifier, PipCompileFormat,
ProjectBuildBackend, TargetTriple, TrustedHost, TrustedPublishing, VersionControlSystem,
};
use uv_distribution_types::{
ConfigSettingEntry, ConfigSettingPackageEntry, Index, IndexUrl, Origin, PipExtraIndex,
Expand Down Expand Up @@ -1328,7 +1328,7 @@ pub struct PipCompileArgs {
/// uv will infer the output format from the file extension of the output file, if
/// provided. Otherwise, defaults to `requirements.txt`.
#[arg(long, value_enum)]
pub format: Option<ExportFormat>,
pub format: Option<PipCompileFormat>,

/// Include extras in the output file.
///
Expand Down Expand Up @@ -4303,7 +4303,7 @@ pub struct TreeArgs {
pub struct ExportArgs {
/// The format to which `uv.lock` should be exported.
///
/// Supports both `requirements.txt` and `pylock.toml` (PEP 751) output formats.
/// Supports `requirements.txt`, `pylock.toml` (PEP 751) and `CycloneDX` v1.5 JSON output formats.
///
/// uv will infer the output format from the file extension of the output file, if
/// provided. Otherwise, defaults to `requirements.txt`.
Expand Down
26 changes: 26 additions & 0 deletions crates/uv-configuration/src/export_format.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,30 @@ pub enum ExportFormat {
#[serde(rename = "pylock.toml", alias = "pylock-toml")]
#[cfg_attr(feature = "clap", clap(name = "pylock.toml", alias = "pylock-toml"))]
PylockToml,
/// Export in `CycloneDX` v1.5 JSON format.
#[serde(rename = "cyclonedx1.5")]
#[cfg_attr(
feature = "clap",
clap(name = "cyclonedx1.5", alias = "cyclonedx1.5+json")
)]
CycloneDX1_5,
}

/// The output format to use in `uv pip compile`.
#[derive(Debug, Default, Clone, Copy, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
#[serde(deny_unknown_fields, rename_all = "kebab-case")]
#[cfg_attr(feature = "clap", derive(clap::ValueEnum))]
pub enum PipCompileFormat {
/// Export in `requirements.txt` format.
#[default]
#[serde(rename = "requirements.txt", alias = "requirements-txt")]
#[cfg_attr(
feature = "clap",
clap(name = "requirements.txt", alias = "requirements-txt")
)]
RequirementsTxt,
/// Export in `pylock.toml` format.
#[serde(rename = "pylock.toml", alias = "pylock-toml")]
#[cfg_attr(feature = "clap", clap(name = "pylock.toml", alias = "pylock-toml"))]
PylockToml,
}
4 changes: 4 additions & 0 deletions crates/uv-preview/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ bitflags::bitflags! {
const NATIVE_AUTH = 1 << 9;
const S3_ENDPOINT = 1 << 10;
const CACHE_SIZE = 1 << 11;
const SBOM_EXPORT = 1 << 12;
}
}

Expand All @@ -42,6 +43,7 @@ impl PreviewFeatures {
Self::NATIVE_AUTH => "native-auth",
Self::S3_ENDPOINT => "s3-endpoint",
Self::CACHE_SIZE => "cache-size",
Self::SBOM_EXPORT => "sbom-export",
_ => panic!("`flag_as_str` can only be used for exactly one feature flag"),
}
}
Expand Down Expand Up @@ -91,6 +93,7 @@ impl FromStr for PreviewFeatures {
"native-auth" => Self::NATIVE_AUTH,
"s3-endpoint" => Self::S3_ENDPOINT,
"cache-size" => Self::CACHE_SIZE,
"sbom-export" => Self::SBOM_EXPORT,
_ => {
warn_user_once!("Unknown preview feature: `{part}`");
continue;
Expand Down Expand Up @@ -267,6 +270,7 @@ mod tests {
);
assert_eq!(PreviewFeatures::FORMAT.flag_as_str(), "format");
assert_eq!(PreviewFeatures::S3_ENDPOINT.flag_as_str(), "s3-endpoint");
assert_eq!(PreviewFeatures::SBOM_EXPORT.flag_as_str(), "sbom-export");
}

#[test]
Expand Down
Loading
Loading