{"id":3947,"library":"cyclonedx-bom","title":"CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments","description":"cyclonedx-bom is a Python library and command-line tool for generating CycloneDX Software Bill of Materials (SBOM) for Python projects and environments. It supports various formats and schema versions of the CycloneDX specification. The current version is 7.3.0, and it maintains an active release cadence with frequent updates, with the latest release on March 30, 2026.","status":"active","version":"7.3.0","language":"en","source_language":"en","source_url":"https://github.com/CycloneDX/cyclonedx-python/","tags":["SBOM","security","supply-chain","CycloneDX","software-composition-analysis"],"install":[{"cmd":"pip install cyclonedx-bom","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[],"quickstart":{"code":"import subprocess\nimport json\nimport os\n\n# Generate an SBOM for the current Python environment in JSON format\n# and print it to stdout. In a real scenario, you'd typically direct to a file.\ntry:\n    # Using `-o -` directs output to stdout\n    result = subprocess.run(\n        ['cyclonedx-py', 'environment', '--output-format', 'JSON', '-o', '-'],\n        capture_output=True,\n        text=True,\n        check=True\n    )\n    sbom_data = json.loads(result.stdout)\n    print(\"Successfully generated CycloneDX SBOM (first 200 chars):\")\n    print(json.dumps(sbom_data, indent=2)[:200] + \"...\")\nexcept subprocess.CalledProcessError as e:\n    print(f\"Error generating SBOM: {e}\")\n    print(f\"Stdout: {e.stdout}\")\n    print(f\"Stderr: {e.stderr}\")\nexcept json.JSONDecodeError:\n    print(\"Failed to decode JSON from SBOM output.\")\n    print(f\"Raw output: {result.stdout}\")","lang":"python","description":"Demonstrates how to generate a CycloneDX SBOM for the current Python environment using the `cyclonedx-py` command-line tool and capture its JSON output."},"warnings":[{"fix":"Remove the `--PEP-639` flag from your CLI commands. PEP 639 handling is now implicit and always active.","message":"In v7.0.0, the handling of PEP 639 (improving license clarity) was finalized and is now always enabled. Consequently, the `--PEP-639` CLI switch was removed.","severity":"breaking","affected_versions":">=7.0.0"},{"fix":"Update your CLI commands to use `--spec-version` instead of `--schema-version` and `--output-file` instead of `--outfile`.","message":"In v7.0.0, deprecated CLI switches `--schema-version` and `--outfile` were removed.","severity":"breaking","affected_versions":">=7.0.0"},{"fix":"If programmatic SBOM generation is required, leverage `subprocess` to call `cyclonedx-py` commands, or consider using the `cyclonedx-python-lib` package for direct library interaction.","message":"The `cyclonedx-bom` package is primarily a command-line interface (CLI) tool. Its internal Python API is not stable and explicitly not intended for public programmatic SBOM generation. For programmatic library-level interaction (e.g., creating data models, validation), you should use the `cyclonedx-python-lib` package instead.","severity":"gotcha","affected_versions":"all"},{"fix":"To generate SBOMs for Conda environments, activate the environment and use `cyclonedx-py environment` or pipe `conda list --json` output to `cyclonedx-py requirements -` if applicable.","message":"Direct support for Conda as a package manager input (`--conda` or `--conda-json` CLI flags) was removed in versions prior to v4.","severity":"gotcha","affected_versions":"<4.0"},{"fix":"Use the `-S` flag with caution. Evaluate whether the potential for incomplete component detection outweighs the benefits for your specific environment analysis.","message":"As of v7.3.0, the new `-S` flag allows skipping `*.pth` file evaluation during environment analysis. While useful in some contexts, be aware that this may lead to incomplete component detection in your SBOM.","severity":"gotcha","affected_versions":">=7.3.0"},{"fix":"Ensure your environment uses Python 3.9, 3.10, 3.11, 3.12, or 3.13.","message":"This library requires Python versions 3.9 or newer, but is not compatible with Python 4.x.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}