csspin_python.python_sbom

The python_sbom plugin generates a CycloneDX Software Bill of Materials (SBOM) for the Python third-party dependencies of the current project. The output is written to {spin.project_name}.python_sbom.cdx.json in the project root.

Attention

Only dependencies listed under the thirdparty extra in the project’s pyproject.toml (or setup.py) are included in the SBOM. This design choice ensures that only selected third-party packages are considered.

How to set up the `python_sbom` plugin?

For using the python_sbom plugin, a project’s spinfile.yaml must at least contain the following configuration.

Minimal configuration of spinfile.yaml to leverage python_sbom

plugin_packages:
    - csspin-python
plugins:
    - csspin_python.python_sbom
python:
    version: "3.11.9"

The provisioning of the required virtual environment as well as the plugin’s dependencies can be done via the well-known spin provision task.

How to generate a Python SBOM?

The python-sbom task is triggered automatically as part of the sbom:build task group. To invoke it directly:

spin python-sbom

Defining third-party packages

The task relies on a thirdparty extra defined in the project’s pyproject.toml (or setup.py) to determine which packages belong in the SBOM. Only the dependencies listed under this extra are included. The project’s own development or test dependencies are intentionally excluded.

pyproject.toml declaring third-party dependencies for the SBOM

[project.optional-dependencies]
thirdparty = [
    "requests>=2.28",
    "pydantic>=2.0",
]

If no thirdparty extra is defined, the task prints a notice and exits without generating a file.

Note

cyclonedx-bom is installed into an isolated temporary virtual environment during SBOM generation and does not need to be listed as a project dependency.

`python_sbom` schema reference

python_sbom: 'object'

Configuration related to the python_sbom plugin for csspin

python_sbom.project_paths: 'list'

List of paths to the Python projects for which to generate the SBOM.

python_sbom.cyclonedx_version: 'str'

Version of the cyclonedx-bom package to use for generating the SBOM.

python_sbom.schema: 'object'

python_sbom.cyclonedx_bom_version: 'str'

python_sbom.requires: 'object'

python_sbom.requires.spin: 'list'

python_sbom._requires: 'list'