CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments

7.3.0 · active · verified Sat Apr 11

cyclonedx-bom is a Python library and command-line tool for generating CycloneDX Software Bill of Materials (SBOM) for Python projects and environments. It supports various formats and schema versions of the CycloneDX specification. The current version is 7.3.0, and it maintains an active release cadence with frequent updates, with the latest release on March 30, 2026.

Warnings

breaking In v7.0.0, the handling of PEP 639 (improving license clarity) was finalized and is now always enabled. Consequently, the `--PEP-639` CLI switch was removed.
Fix: Remove the `--PEP-639` flag from your CLI commands. PEP 639 handling is now implicit and always active.
breaking In v7.0.0, deprecated CLI switches `--schema-version` and `--outfile` were removed.
Fix: Update your CLI commands to use `--spec-version` instead of `--schema-version` and `--output-file` instead of `--outfile`.
gotcha The `cyclonedx-bom` package is primarily a command-line interface (CLI) tool. Its internal Python API is not stable and explicitly not intended for public programmatic SBOM generation. For programmatic library-level interaction (e.g., creating data models, validation), you should use the `cyclonedx-python-lib` package instead.
Fix: If programmatic SBOM generation is required, leverage `subprocess` to call `cyclonedx-py` commands, or consider using the `cyclonedx-python-lib` package for direct library interaction.
gotcha Direct support for Conda as a package manager input (`--conda` or `--conda-json` CLI flags) was removed in versions prior to v4.
Fix: To generate SBOMs for Conda environments, activate the environment and use `cyclonedx-py environment` or pipe `conda list --json` output to `cyclonedx-py requirements -` if applicable.
gotcha As of v7.3.0, the new `-S` flag allows skipping `*.pth` file evaluation during environment analysis. While useful in some contexts, be aware that this may lead to incomplete component detection in your SBOM.
Fix: Use the `-S` flag with caution. Evaluate whether the potential for incomplete component detection outweighs the benefits for your specific environment analysis.
gotcha This library requires Python versions 3.9 or newer, but is not compatible with Python 4.x.
Fix: Ensure your environment uses Python 3.9, 3.10, 3.11, 3.12, or 3.13.

Install

pip install cyclonedx-bom Install latest version

Quickstart

Demonstrates how to generate a CycloneDX SBOM for the current Python environment using the `cyclonedx-py` command-line tool and capture its JSON output.

import subprocess
import json
import os

# Generate an SBOM for the current Python environment in JSON format
# and print it to stdout. In a real scenario, you'd typically direct to a file.
try:
    # Using `-o -` directs output to stdout
    result = subprocess.run(
        ['cyclonedx-py', 'environment', '--output-format', 'JSON', '-o', '-'],
        capture_output=True,
        text=True,
        check=True
    )
    sbom_data = json.loads(result.stdout)
    print("Successfully generated CycloneDX SBOM (first 200 chars):")
    print(json.dumps(sbom_data, indent=2)[:200] + "...")
except subprocess.CalledProcessError as e:
    print(f"Error generating SBOM: {e}")
    print(f"Stdout: {e.stdout}")
    print(f"Stderr: {e.stderr}")
except json.JSONDecodeError:
    print("Failed to decode JSON from SBOM output.")
    print(f"Raw output: {result.stdout}")

view raw JSON →