Open chrisrodrigue opened 2 months ago
As hinted previously, you can use my Meta Package Manager CLI in the mean time to export the SBOM of a uv
environment:
$ mpm --uv sbom --spdx
info: User selection of managers by priority: > uv
info: Managers dropped by user: None
info: Print SPDX export to <stdout>
info: Export packages from uv...
{
"SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": {
"created": "2024-08-02T23:29:10Z",
"creators": [
"Tool: meta-package-manager-5.18.1"
]
},
"dataLicense": "CC0-1.0",
"name": "macOS-Darwin-23.6.0-arm64",
"spdxVersion": "SPDX-2.3",
"documentNamespace": "https://github.com/kdeldycke/meta-package-manager/releases/tag/v5.18.1/fdcf50b29504cc4c0df620af2283ed3",
"packages": [
{
"SPDXID": "SPDXRef-pkg-uv-alabaster-0.7.16",
"downloadLocation": "https://www.example.com",
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceLocator": "pkg:uv/alabaster@0.7.16",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"name": "alabaster",
"primaryPackagePurpose": "INSTALL",
"supplier": "Organization: UV",
"versionInfo": "0.7.16"
},
{
"SPDXID": "SPDXRef-pkg-uv-arrow-1.3.0",
"downloadLocation": "https://www.example.com",
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceLocator": "pkg:uv/arrow@1.3.0",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"name": "arrow",
"primaryPackagePurpose": "INSTALL",
"supplier": "Organization: UV",
"versionInfo": "1.3.0"
},
...
Taking a CycloneDX BOM as input could also be an awesome way to set up a venv.
Any python components in the BOM would have a PyPI purl, which uv could read and sync with pyproject.toml
and the managed venv.
See related issue here regarding purl support: https://github.com/astral-sh/uv/issues/8265
uv
is in a prime position to be able to emit an SBOM that reflects the state of the currentuv
-managed virtual environment, or ingest an SBOM to produce a managed virtual environment.SBOM requirements supersede any existing PEP. Executive Order 14028 demands SBOM documentation from all vendors to the US government by September 2023. It is reasonable to assume that
uv
may indirectly fall under this executive order if there are downstream users ofuv
that provide software to the US government.It would be awesome if
uv
could emit an SBOM in one of the industry standard formats. CycloneDX is one such SBOM standard. I thinkuv
may already have all the metadata necessary to output one.SBOM support would greatly improve the security posture of
uv
anduv
-managed projects.