uv-sbom

English | 日本語

Generate SBOMs (Software Bill of Materials) for Python projects managed by uv.

Features

📦 Parses uv.lock files to extract dependency information
🔍 Automatically fetches license information from PyPI with retry logic
🛡️ Checks for known vulnerabilities using OSV API (Markdown format only)
📋 License compliance policy check with configurable allow/deny lists and wildcard support
🔎 Vulnerability Resolution Guide - Identifies which direct dependency introduces each vulnerable transitive package
📊 Outputs in multiple formats:
- CycloneDX 1.6 JSON format (standard SBOM format)
- Markdown format with direct and transitive dependencies clearly separated
🚀 Fast and standalone - written in Rust
💾 Output to stdout or file
🛡️ Robust error handling with helpful error messages and suggestions
📈 Progress tracking during license information retrieval
🏗️ Built with Hexagonal Architecture (Ports and Adapters) + Domain-Driven Design for maintainability and testability
✅ Comprehensive test coverage (Unit, Integration, E2E)

Scope and Key Differences from CycloneDX

SBOM Scope

This tool generates SBOMs based on uv.lock file contents, which includes:

Direct runtime dependencies
Transitive runtime dependencies
Development dependencies (if locked in uv.lock)

What's NOT included:

Build system dependencies (e.g., hatchling, setuptools)
Publishing tools (e.g., twine, build)
Dependencies only present in the virtual environment but not locked in uv.lock

Comparison with CycloneDX Official Tools

As of v7.2.1, the official cyclonedx-python library does not yet provide direct support for uv. When generating SBOMs for Python projects:

Aspect	uv-sbom (this tool)	CycloneDX Official Tools
Data Source	`uv.lock` file	`.venv` virtual environment
Scope	Production runtime dependencies only	Entire supply chain including build/dev tools
Package Count	Typically fewer (e.g., 16 packages)	Typically more (e.g., 38+ packages)
Use Case	Production security scanning	Comprehensive supply chain audit
Accuracy	Reflects locked dependencies	Reflects installed packages

Which Tool Should You Use?

For production security scanning: Use uv-sbom to focus on dependencies that will be deployed to production
For comprehensive supply chain audit: Use CycloneDX official tools to include all development and build-time dependencies
For regulatory compliance: Check your specific requirements - some regulations may require the comprehensive approach

The focused approach of uv-sbom reduces noise in security vulnerability scanning by excluding build-time dependencies that don't ship with the final application.

Installation

Cargo (Recommended for Rust users)

Crates.io Total Downloads

Install from crates.io:

cargo install uv-sbom

uv tool (Python users)

Install the Python wrapper package:

uv tool install uv-sbom-bin

Or via pip:

pip install uv-sbom-bin

After installation, use the uv-sbom command:

uv-sbom --version

Note: The package name is uv-sbom-bin, but the installed command is uv-sbom.

Pre-built Binaries

Download pre-built binaries from GitHub Releases:

macOS (Apple Silicon):

curl -LO https://github.com/Taketo-Yoda/uv-sbom/releases/latest/download/uv-sbom-aarch64-apple-darwin.tar.gz
tar xzf uv-sbom-aarch64-apple-darwin.tar.gz
sudo mv uv-sbom /usr/local/bin/

macOS (Intel):

curl -LO https://github.com/Taketo-Yoda/uv-sbom/releases/latest/download/uv-sbom-x86_64-apple-darwin.tar.gz
tar xzf uv-sbom-x86_64-apple-darwin.tar.gz
sudo mv uv-sbom /usr/local/bin/

Linux (x86_64):

curl -LO https://github.com/Taketo-Yoda/uv-sbom/releases/latest/download/uv-sbom-x86_64-unknown-linux-gnu.tar.gz
tar xzf uv-sbom-x86_64-unknown-linux-gnu.tar.gz
sudo mv uv-sbom /usr/local/bin/

Windows: Download uv-sbom-x86_64-pc-windows-msvc.zip from the releases page and extract to your desired location.

From Source

# Clone the repository
git clone https://github.com/Taketo-Yoda/uv-sbom.git
cd uv-sbom

# Build and install
cargo build --release
cargo install --path .

Verify Installation

uv-sbom --version

Usage

Basic usage

Generate a CycloneDX JSON SBOM for the current directory:

uv-sbom

Output formats

Generate a Markdown table with direct and transitive dependencies:

uv-sbom --format markdown

Generate a CycloneDX JSON (default):

uv-sbom --format json

Output language

Use the --lang option to switch the output language for human-readable formats (Markdown). The default is English (en).

# Generate a Japanese Markdown SBOM report
uv-sbom --format markdown --lang ja

# Generate an English Markdown SBOM report (default)
uv-sbom --format markdown --lang en

Supported values: en (English, default), ja (Japanese)

Note: The --lang option affects section headers, table column names, and status labels in Markdown output. Package names, CVE IDs, and SPDX license identifiers always remain in their original form regardless of --lang.

Specify project path

Analyze a project in a different directory:

uv-sbom --path /path/to/project

Save to file

Output to a file instead of stdout:

uv-sbom --format json --output sbom.json
uv-sbom --format markdown --output SBOM.md

Combined options

uv-sbom --path /path/to/project --format markdown --output SBOM.md

Excluding packages

You can exclude specific packages from the SBOM using the --exclude or -e option:

# Exclude a single package
uv-sbom -e "pytest"

# Exclude multiple packages
uv-sbom -e "pytest" -e "mypy" -e "black"

# Use wildcards to exclude patterns
uv-sbom -e "debug-*"        # Exclude all packages starting with "debug-"
uv-sbom -e "*-dev"          # Exclude all packages ending with "-dev"
uv-sbom -e "*-test-*"       # Exclude all packages containing "-test-"

# Combine with other options
uv-sbom --format json --output sbom.json -e "pytest" -e "*-dev"

Pattern Syntax:

Use * as a wildcard to match zero or more characters
Patterns are case-sensitive
Maximum 64 patterns per invocation

Preventing Information Leakage: Use the --exclude option to skip specific internal or proprietary libraries. This prevents their names from being sent to external registries (like PyPI) during metadata retrieval, ensuring your internal project structure remains private.

Configuration file

You can use a configuration file (uv-sbom.config.yml) to set default options instead of passing them on the command line every time.

Generating a config template

Use the --init option to generate a template configuration file with all available fields as commented examples:

# Generate template in the current directory
uv-sbom --init

# Generate template in a specific directory
uv-sbom --init --path ./my-project

This creates a uv-sbom.config.yml file with inline documentation for every option. If the file already exists, the command exits with an error to prevent accidental overwriting.

Auto-discovery: Place a uv-sbom.config.yml file in your project directory (where uv.lock is located). The tool automatically detects and loads it.

Explicit path: Use --config / -c to specify a config file at a custom location.

# Auto-discovered config file (place in project directory)
uv-sbom

# Explicit config file path
uv-sbom --config ./custom-config.yml

Example configuration file (uv-sbom.config.yml):

# Output format: json or markdown
format: markdown

# Packages to exclude from SBOM (supports wildcards)
exclude_packages:
  - "pytest"
  - "mypy"
  - "*-dev"

# Enable CVE vulnerability checking
check_cve: true

# Severity threshold for vulnerability check (low/medium/high/critical)
severity_threshold: high

# CVSS threshold for vulnerability check (0.0-10.0)
# cvss_threshold: 7.0

# CVEs to ignore (with optional reason)
ignore_cves:
  - id: CVE-2024-1234
    reason: "False positive for our use case"
  - id: CVE-2024-5678
    reason: "Mitigated by network configuration"

# License compliance policy
license_policy:
  allow: ["MIT", "Apache-2.0", "BSD-*", "ISC", "PSF-2.0"]
  deny: ["GPL-3.0-only", "GPL-3.0-or-later", "AGPL-*"]
  unknown: "warn"  # "warn" | "deny" | "allow"

Config File Schema Reference

Field	Type	Required	Description
`format`	string	No	Output format (`json` / `markdown`)
`exclude_packages`	string[]	No	Package exclusion patterns (supports wildcards)
`check_cve`	bool	No	Override CVE checking behavior. Defaults to true when unset
`severity_threshold`	string	No	Severity threshold (`low` / `medium` / `high` / `critical`)
`cvss_threshold`	number	No	CVSS threshold (0.0 - 10.0)
`ignore_cves`	object[]	No	List of CVEs to ignore
`ignore_cves[].id`	string	Yes	CVE ID (e.g., `CVE-2024-1234`)
`ignore_cves[].reason`	string	No	Reason for ignoring
`license_policy`	object	No	License compliance policy configuration
`license_policy.allow`	string[]	No	Allowed license patterns (supports wildcards)
`license_policy.deny`	string[]	No	Denied license patterns (supports wildcards)
`license_policy.unknown`	string	No	Unknown license handling (`warn` / `deny` / `allow`)

Priority and Merge Rules

CLI arguments override config file values for scalar fields (format, severity_threshold, cvss_threshold)
check_cve defaults to true when unset. Set to false in config to disable. Use --no-check-cve CLI flag to opt out
exclude_packages are merged from both CLI and config file, then deduplicated
ignore_cves are merged from both CLI (--ignore-cve) and config file, deduplicated by ID (CLI entry takes precedence for duplicates)
check_license is enabled if set via CLI flag OR config file (logical OR, same as check_cve)
--license-allow and --license-deny CLI options override config file license_policy.allow / license_policy.deny entirely (not merged)

Ignoring specific CVEs

You can ignore specific CVEs from the command line using --ignore-cve / -i:

# Ignore specific CVEs from CLI
uv-sbom --ignore-cve CVE-2024-1234 --ignore-cve CVE-2024-5678

# Short form
uv-sbom -i CVE-2024-1234 -i CVE-2024-5678

# Combine config file and CLI ignores (both sources are merged)
uv-sbom --config ./config.yml -i CVE-2024-9999

Checking for vulnerabilities

CVE vulnerability checking is enabled by default using the OSV (Open Source Vulnerability) database. No flag is required:

# Check for vulnerabilities in Markdown output (CVE check runs automatically)
uv-sbom --format markdown

# Save vulnerability report to file
uv-sbom --format markdown --output SBOM.md

# Combine with exclude patterns
uv-sbom --format markdown -e "pytest" -e "*-dev"

# Opt out of CVE checking
uv-sbom --format markdown --no-check-cve

Disabling CVE Checking

CVE vulnerability checking is enabled by default. To opt out, use the --no-check-cve flag:

# Generate SBOM without CVE checking
uv-sbom --format markdown --no-check-cve

# Disable via config file
# check_cve: false  (in uv-sbom.config.yml)

Note: --no-check-cve conflicts with --severity-threshold, --cvss-threshold, and --suggest-fix.

License Compliance Check

Use the --check-license option to check packages against a configurable license policy:

# Enable license compliance check (using config file policy)
uv-sbom --check-license --format markdown

# With inline policy (overrides config file)
uv-sbom --check-license --license-allow "MIT,Apache-2.0,BSD-*" --license-deny "GPL-3.0,AGPL-*"

# Combined with vulnerability check
uv-sbom --check-license --severity-threshold high

How it works:

Deny takes precedence over allow: If a license matches both lists, it is denied
Wildcard patterns: Use BSD-*, AGPL-* etc. for pattern matching (case-insensitive)
Unknown license handling: Configure how licenses not in either list are treated:
- warn (default): Report as warning but don't fail
- deny: Treat unknown licenses as violations
- allow: Silently allow unknown licenses
Exit code: Returns exit code 1 when policy violations are detected

Vulnerability Threshold Options

You can control which vulnerabilities trigger a non-zero exit code using threshold options:

# Check for any vulnerabilities (exits with 1 if found)
uv-sbom --format markdown

# Check for High or Critical severity only
uv-sbom --format markdown --severity-threshold high

# Check for Critical severity only
uv-sbom --format markdown --severity-threshold critical

# Check for CVSS >= 7.0 only
uv-sbom --format markdown --cvss-threshold 7.0

# Check for CVSS >= 9.0 (Critical) only
uv-sbom --format markdown --cvss-threshold 9.0

Threshold Options:

--severity-threshold <LEVEL>: Filter by severity level (low, medium, high, critical)
--cvss-threshold <SCORE>: Filter by CVSS score (0.0-10.0)

Notes:

Only one threshold option can be used at a time
Cannot be used with --no-check-cve
Vulnerabilities below the threshold are still shown in the report but don't trigger exit code 1
When using --cvss-threshold, vulnerabilities without CVSS scores (N/A) are excluded from threshold evaluation

PyPI Link Verification

Use the --verify-links option to validate that packages exist on PyPI before generating hyperlinks. Packages that don't exist on PyPI will be rendered as plain text:

# Generate Markdown with verified PyPI links
uv-sbom --format markdown --verify-links

# Combine with other options
uv-sbom --format markdown --verify-links --output SBOM.md

Behavior:

Without --verify-links: All package names get PyPI hyperlinks (default, fast)
With --verify-links: Only verified packages get hyperlinks; unverified packages render as plain text
Network errors gracefully fall back to plain text (no crash)
Requests are executed in parallel (max 10 concurrent) for performance

CI Integration

Use vulnerability thresholds for CI/CD pipeline integration:

# GitHub Actions example
- name: Generate SBOM
  run: uv-sbom --format markdown --output sbom.md

- name: Security Check (High and Critical only)
  run: uv-sbom --format markdown --severity-threshold high

- name: Security Check (CVSS >= 7.0)
  run: uv-sbom --format markdown --cvss-threshold 7.0

# GitHub Actions - License Compliance Check
- name: License Compliance Check
  run: uv-sbom --check-license --format markdown

- name: Combined Security and License Check
  run: uv-sbom --check-license --severity-threshold high

# GitLab CI example
security_scan:
  script:
    - uv-sbom --format markdown --severity-threshold high
  allow_failure: false

Important Notes:

Vulnerability checking is only available for Markdown format
Requires internet connection to query OSV API
Not available in --dry-run mode (skips network operations)
Use --exclude to prevent internal packages from being sent to OSV API

Example Output:

When vulnerabilities are found, a section like this is added to the Markdown output:

## Vulnerability Report

**⚠️ Security Issues Detected**

The following packages have known security vulnerabilities:

| Package | Current Version | Fixed Version | CVSS | Severity | CVE ID |
|---------|----------------|---------------|------|----------|--------|
| urllib3 | 2.0.0 | 2.0.7 | 9.8 | 🔴 CRITICAL | CVE-2023-45803 |
| requests | 2.28.0 | 2.31.0 | 7.5 | 🟠 HIGH | CVE-2023-32681 |

---

*Vulnerability data provided by [OSV](https://osv.dev) under CC-BY 4.0*

Note: Vulnerability IDs (CVE, GHSA, PYSEC, RUSTSEC, etc.) in the vulnerability report are always rendered as hyperlinks, regardless of --verify-links. These IDs are sourced from the OSV database and link to authoritative vulnerability databases (NVD, GitHub Advisories, OSV.dev), so link verification is unnecessary.

Vulnerability Resolution Guide

When vulnerabilities are detected in transitive dependencies, uv-sbom automatically generates a Vulnerability Resolution Guide. This section shows which direct dependency introduces each vulnerable transitive package, so you know exactly what to upgrade.

Markdown output example

## Vulnerability Resolution Guide

The following transitive dependencies have known vulnerabilities. The table shows which direct dependency introduces each vulnerable package.

| Vulnerable Package | Current | Fixed Version | Severity | Introduced By (Direct Dep) | Vulnerability ID |
|--------------------|---------|---------------|----------|---------------------------|-----------------|
| urllib3 | 1.26.15 | >= 2.0.7 | 🟠 HIGH | requests (2.31.0) | [CVE-2024-XXXXX](https://nvd.nist.gov/vuln/detail/CVE-2024-XXXXX) |
| certifi | 2023.7.22 | >= 2024.2.2 | 🟠 HIGH | requests (2.31.0), httpx (0.25.0) | [CVE-2024-YYYYY](https://nvd.nist.gov/vuln/detail/CVE-2024-YYYYY) |

CycloneDX JSON output

In CycloneDX format, the introducing dependency is included as a properties entry:

{
  "vulnerabilities": [
    {
      "id": "CVE-2024-XXXXX",
      "properties": [
        {
          "name": "uv-sbom:introduced-by",
          "value": "requests@2.31.0"
        }
      ]
    }
  ]
}

Note: The resolution guide only appears for transitive dependency vulnerabilities. Direct dependency vulnerabilities are shown in the standard vulnerability table, as users can upgrade them directly.

Upgrade Advisor (`--suggest-fix`)

Use --suggest-fix to automatically suggest which direct dependency version to upgrade to resolve each transitive vulnerability.

Requires:

uv CLI installed
pyproject.toml in the project directory

Example:

uv-sbom generate --suggest-fix

Output: Adds a "Recommended Action" column to the Vulnerability Resolution Guide showing:

⬆️ Upgrade requests → 2.32.3 (resolves urllib3 to 2.2.1) — when an upgrade fixes the vulnerability
⚠️ Cannot resolve: latest httpx still pins idna < 3.7 — when no upgrade helps
❓ Could not analyze: <error> — when simulation failed

Try it with the included example:

# This example has transitive CVEs designed to show both Upgradable and Unresolvable outcomes
uv-sbom -p examples/suggest-fix-project --suggest-fix -f markdown

See examples/suggest-fix-project/README.md for a full walkthrough.

License Compliance Check output example:

## License Compliance Check

Policy: 3 allowed patterns, 1 denied pattern | Unknown: warn

### Violations (2 found)

| Package | Version | License | Reason |
|---------|---------|---------|--------|
| some-gpl-lib | 1.0.0 | GPL-3.0 | Denied by policy |
| mystery-pkg | 2.1.0 | Unknown | Not in allow list |

When no vulnerabilities are found:

## Vulnerability Report

**✅ No Known Vulnerabilities**

No security vulnerabilities were found in the scanned packages.

---

*Vulnerability data provided by [OSV](https://osv.dev) under CC-BY 4.0*

Validating configuration with dry-run

Use the --dry-run option to validate your configuration before the tool communicates with external registries:

# Verify exclude patterns work correctly
uv-sbom --dry-run -e "internal-*" -e "proprietary-pkg"

# Test configuration with all options
uv-sbom --dry-run --path /path/to/project --format json -e "*-dev"

Why use --dry-run:

Verify exclude patterns: Ensure your --exclude patterns correctly match the packages you want to skip
Prevent information leakage: Confirm that sensitive internal packages are excluded BEFORE the tool communicates with PyPI registry
Fast validation: All input validation happens without network overhead
Early error detection: Catch configuration issues (missing uv.lock, invalid patterns, etc.) immediately

What happens in dry-run mode:

✅ Reads and parses uv.lock file
✅ Validates all command-line arguments
✅ Checks exclude patterns and warns about unmatched patterns
✅ Outputs success message if no issues found
❌ Skips license fetching from PyPI (no network communication)
❌ Skips SBOM output generation

Security

Exclude Pattern Input Validation

The -e/--exclude option implements the following security measures to protect against malicious input:

Character Restrictions

Only the following characters are allowed in patterns:

Alphanumeric characters: a-z, A-Z, 0-9, Unicode letters/numbers
Hyphens (-), underscores (_), dots (.): Common in package names
Square brackets ([, ]): For package extras (e.g., requests[security])
Asterisks (*): For wildcard matching

Control characters, shell metacharacters, and path separators are blocked to prevent:

Terminal escape sequence injection
Log injection attacks
Command injection (defense in depth)

Pattern Limits

Maximum patterns: 64 patterns can be specified per invocation
Maximum length: 255 characters per pattern
Minimum content: Patterns must contain at least one non-wildcard character

These limits prevent denial-of-service attacks via:

Excessive memory consumption
CPU exhaustion from complex pattern matching

Examples

Valid patterns:

uv-sbom -e 'pytest'           # Exact match
uv-sbom -e 'test-*'           # Prefix wildcard
uv-sbom -e '*-dev'            # Suffix wildcard
uv-sbom -e 'package[extra]'   # Package with extras

Invalid patterns (rejected with error):

uv-sbom -e ''                 # Empty pattern
uv-sbom -e '***'              # Only wildcards
uv-sbom -e 'pkg;rm -rf /'     # Contains shell metacharacter
uv-sbom -e "$(cat /etc/passwd)" # Shell command substitution blocked

For more detailed security information, including threat model and attack vectors, see SECURITY.md.

Command-line options

Options:
  -f, --format <FORMAT>              Output format: json or markdown [default: json]
  -p, --path <PATH>                  Path to the project directory [default: current directory]
  -o, --output <OUTPUT>              Output file path (if not specified, outputs to stdout)
  -e, --exclude <PATTERN>            Exclude packages matching patterns (supports wildcards: *)
  -c, --config <PATH>               Path to config file (auto-discovers uv-sbom.config.yml if not specified)
  -i, --ignore-cve <CVE_ID>         CVE IDs to ignore (can be specified multiple times)
      --lang <LANG>                  Output language for human-readable formats: en or ja [default: en]
      --init                         Generate a uv-sbom.config.yml template file
      --dry-run                      Validate configuration without network communication or output generation
      --verify-links                 Verify PyPI links exist before generating hyperlinks (Markdown format only)
      --check-cve                    [DEPRECATED] CVE checking is now enabled by default. This flag has no effect. Use --no-check-cve to opt out
      --no-check-cve                 Disable CVE vulnerability checking (enabled by default)
      --severity-threshold <LEVEL>   Severity threshold for vulnerability check (low/medium/high/critical)
                                     Cannot be used with --no-check-cve
      --cvss-threshold <SCORE>       CVSS threshold for vulnerability check (0.0-10.0)
                                     Cannot be used with --no-check-cve
      --suggest-fix                  Suggest direct dependency upgrade versions to resolve transitive vulnerabilities
                                     Requires uv CLI installed and pyproject.toml in project directory
      --check-license                Check license compliance against policy
      --license-allow <LIST>         Comma-separated list of allowed license patterns (overrides config)
      --license-deny <LIST>          Comma-separated list of denied license patterns (overrides config)
  -h, --help                         Print help
  -V, --version                      Print version

Exit Codes

uv-sbom returns the following exit codes:

Exit Code	Description	Examples
0	Success	SBOM generated successfully, no vulnerabilities above threshold, `--help` or `--version` displayed
1	Vulnerabilities or license violations detected	Vulnerabilities above threshold detected, license policy violations found
2	Invalid command-line arguments	Unknown option, invalid argument type
3	Application error	Missing uv.lock file, invalid project path, invalid exclude pattern, network error, file write error

Exit Codes with Vulnerability and License Checking

When using CVE or license checking, the exit code behavior changes based on threshold settings:

Scenario	Exit Code
No vulnerabilities found	0
Vulnerabilities found (no threshold specified)	1
Vulnerabilities found, all below threshold	0
Vulnerabilities found, some above threshold	1
License policy violations detected	1
Combined: either check fails	1
Combined: both checks pass	0

Examples:

# Returns 0 if no High/Critical vulnerabilities, even if Low/Medium exist
uv-sbom --format markdown --severity-threshold high

# Returns 0 if no vulnerabilities have CVSS >= 7.0
uv-sbom --format markdown --cvss-threshold 7.0

Common Error Scenarios

Exit code 3 - Application errors:

# Missing uv.lock file
$ uv-sbom --path /path/without/uv-lock
❌ An error occurred:
uv.lock file not found: /path/without/uv-lock/uv.lock
# Exit code: 3

# Invalid exclude pattern (empty)
$ uv-sbom -e ""
❌ An error occurred:
Exclusion pattern cannot be empty
# Exit code: 3

# Invalid exclude pattern (invalid characters)
$ uv-sbom -e "pkg;name"
❌ An error occurred:
Exclusion pattern contains invalid character ';' in pattern 'pkg;name'
# Exit code: 3

# Nonexistent project path
$ uv-sbom --path /nonexistent
❌ An error occurred:
Invalid project path: /nonexistent
# Exit code: 3

Exit code 2 - CLI argument errors:

# Unknown option
$ uv-sbom --unknown-option
error: unexpected argument '--unknown-option' found
# Exit code: 2

# Invalid format value
$ uv-sbom --format invalid
error: invalid value 'invalid' for '--format <FORMAT>'
# Exit code: 2

Usage in Scripts

#!/bin/bash

uv-sbom --format json --output sbom.json

case $? in
  0)
    echo "SBOM generated successfully"
    ;;
  1)
    echo "Vulnerabilities detected above threshold"
    exit 1
    ;;
  2)
    echo "Invalid command-line arguments"
    exit 2
    ;;
  3)
    echo "Application error occurred"
    exit 3
    ;;
esac

Output Examples

Markdown format

Note: The Markdown format sample is based on the SBOM format from ja-complete v0.1.0.

## Summary

| Item | Count | Status |
|------|-------|--------|
| Direct dependencies | 2 | ✅ |
| Transitive dependencies | 3 | ✅ |
| ...vulnerability rows... | | |
| License violations | 0 | ✅ |

**Overall: No issues found** ✅

# Software Bill of Materials (SBOM)

## Component Inventory

A comprehensive list of all software components and libraries included in this project.

| Package | Version | License | Description |
|---------|---------|---------|-------------|
| janome | 0.5.0 | AL2 | Japanese morphological analysis engine. |
| pydantic | 2.12.5 | MIT | Data validation using Python type hints |
| ...additional packages... |

## Direct Dependencies

Primary packages explicitly defined in the project configuration(e.g., pyproject.toml).

| Package | Version | License | Description |
|---------|---------|---------|-------------|
| janome | 0.5.0 | AL2 | Japanese morphological analysis engine. |
| pydantic | 2.12.5 | MIT | Data validation using Python type hints |

## Transitive Dependencies

Secondary dependencies introduced by the primary packages.

### Dependencies for pydantic

| Package | Version | License | Description |
|---------|---------|---------|-------------|
| annotated-types | 0.7.0 | MIT License | Reusable constraint types to use with typing.Annotated |
| pydantic-core | 2.41.5 | MIT | Core functionality for Pydantic validation and serialization |

CycloneDX JSON format

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "serialNumber": "urn:uuid:...",
  "metadata": {
    "timestamp": "2024-01-01T00:00:00Z",
    "tools": [
      {
        "name": "uv-sbom",
        "version": "0.1.0"
      }
    ]
  },
  "components": [
    {
      "type": "library",
      "name": "requests",
      "version": "2.31.0",
      "description": "HTTP library for Python",
      "licenses": [
        {
          "license": {
            "name": "Apache 2.0"
          }
        }
      ],
      "purl": "pkg:pypi/requests@2.31.0"
    }
  ]
}

Requirements

A Python project managed by uv with a uv.lock file
Internet connection for fetching license information from PyPI

Network Requirements

External Domains Accessed

uv-sbom makes HTTP requests to the following external services during SBOM generation:

Required for all operations:

PyPI (Python Package Index)
- Domain: https://pypi.org
- Purpose: Fetch license information for Python packages
- When: Every SBOM generation (unless using --dry-run)
- Rate limit: No official limit, but tool implements retry logic
- Endpoint: /pypi/{package_name}/json

Optional (only when using `--no-check-cve` disables CVE, or `--verify-links`):

PyPI Link Verification
- Domain: https://pypi.org
- Purpose: Verify package existence on PyPI via HTTP HEAD requests
- When: Only when --verify-links flag is used
- Rate limit: Max 10 concurrent requests
- Endpoint: /project/{package_name}/
OSV (Open Source Vulnerability Database)
- Domain: https://api.osv.dev
- Purpose: Fetch vulnerability information for security scanning
- When: By default (unless --no-check-cve is used)
- Rate limit: Tool implements 10 requests/second limit
- Endpoints:
  - /v1/querybatch - Batch query for vulnerability IDs
  - /v1/vulns/{vuln_id} - Detailed vulnerability information

Firewall Configuration

If you are behind a corporate firewall or proxy, ensure the following domains are on the allowlist:

# Required
pypi.org

# Optional (for --verify-links only; OSV is accessed by default unless --no-check-cve)
pypi.org       # Also used for --verify-links
api.osv.dev    # Disabled only with --no-check-cve

Proxy Configuration

The tool respects standard HTTP/HTTPS proxy environment variables:

export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080
export NO_PROXY=localhost,127.0.0.1

uv-sbom --format json

Offline Mode

To validate configuration without making network requests, use --dry-run:

uv-sbom --dry-run

This mode:

Validates uv.lock file
Validates command-line arguments
Checks exclude patterns
Skips license fetching (no PyPI access)
Skips vulnerability checking (no OSV access)
Skips SBOM output generation

Error Handling

uv-sbom provides detailed error messages with helpful suggestions:

Missing uv.lock file: Clear message with suggestions on how to fix
Invalid project path: Validates directory existence before processing
License fetch failures: Retries failed requests (up to 3 attempts) and continues processing
File write errors: Checks directory existence and permissions
Progress tracking: Shows real-time progress during license information retrieval

Example error message:

❌ An error occurred:

uv.lock file not found: /path/to/project/uv.lock

💡 Hint: uv.lock file does not exist in project directory "/path/to/project".
   Please run in the root directory of a uv project, or specify the correct path with the --path option.

Troubleshooting

uv.lock file not found

Ensure you're running the command in a directory containing a uv.lock file, or use the --path option to specify the correct project directory.

License information fetch failures

Some packages may fail to retrieve license information from PyPI. The tool will:

Automatically retry up to 3 times
Continue processing other packages
Display warnings for failed packages
Include packages in the output without license information if fetching fails

Network issues

If you're behind a proxy or firewall, ensure that you can access https://pypi.org. The tool uses a 10-second timeout for API requests.

Documentation

For Users

README.md - User documentation
LICENSE - MIT License

For Developers

DEVELOPMENT.md - Development guide
ARCHITECTURE.md - Hexagonal Architecture + DDD implementation (layers, ports, adapters, test strategy, ADRs)
CHANGELOG.md - Change history

For Claude Code Users

.claude/project-context.md - Complete project context for Claude Code
.claude/instructions.md - Coding guidelines and instructions for Claude Code

These files provide comprehensive context for AI-assisted development with Claude Code.

Attribution

Vulnerability Data

By default, this tool retrieves vulnerability data from OSV (Open Source Vulnerability), which is provided under the Creative Commons Attribution 4.0 International License (CC-BY 4.0). Use --no-check-cve to opt out of vulnerability checking.

Required Attribution:

Vulnerability data provided by OSV
Available at: https://osv.dev
License: CC-BY 4.0

The OSV database is a collaborative effort to provide comprehensive, accurate, and accessible vulnerability information for open source software.

License

MIT License - see LICENSE file for details.

uv-sbom 2.1.0