📦 Generating SPDX and CycloneDX SBOMs

2025 Apr 18 (a.m. Friday)

📋 Setup

uv venv
source .venv/bin/activate
uv pip install setuptools
uv run --with sbom4python sbom4python -h

✨ Usage

uv run --with sbom4python sbom4python -r requirements.txt \ 
  --format json  -o pastebin-bisque-pipeglow.json \
   --graph plz && cat plz | dot -T png  -o pastebin-bisque-pipeglow.png

The sbom4python tool defaults to generating SBOMs in SPDX format. Pass --sbom cyclonedx for the CycloneDX format intead.

uv run --with sbom4python sbom4python -r requirements.txt \
  --format yaml  -o pastebin-bisque-pipeglow.yaml

One of the tools made available directly from SPDX is pyspdxtools:

uv run --with spdx-tools pyspdxtools -i ./pastebin-bisque-pipeglow.yaml

uv run --with cyclonedx-bom cyclonedx-py  requirements requirements.txt

📚 References

SBOM4Python
SPDX Tools