csspin-python 4.0.0__py3-none-any.whl → 4.1.0rc1__py3-none-any.whl

csspin_python/python.py

@@ -69,12 +69,15 @@ point to the base installation.
 import abc
 import configparser
 import hashlib
+import json
 import logging
 import os
 import re
 import shutil
+import subprocess
 import sys
 from contextlib import contextmanager
+from functools import cache
 from subprocess import CalledProcessError, check_output
 from textwrap import dedent, indent
 from typing import Generator, Iterable, Type, Union
@@ -88,6 +91,7 @@ except ImportError:
 
 from click.exceptions import Abort
 from csspin import (
+    CONFIG,
     EXPORTS,
     Command,
     Memoizer,
@@ -716,6 +720,30 @@ class PythonActivate(ActivateScriptPatcher):
         return value
 
 
+@cache
+def get_project_metadata(project_path: str, index_url: str) -> dict:  # type: ignore[return] # pylint: disable=inconsistent-return-statements # noqa: E501
+    """
+    Retrieve project metadata of ``project_path`` via ``python -m build
+    --metadata``.
+
+    Cached since ``build --metadata`` is noisy and the output is identical for
+    every caller within the same process.
+    """
+    setenv(PIP_INDEX_URL=index_url)
+    kwargs = {}
+    if CONFIG.verbosity < Verbosity.INFO:
+        kwargs["stderr"] = subprocess.DEVNULL
+    raw_metadata = backtick(
+        "python", "-m", "build", "--metadata", project_path, **kwargs
+    )
+    setenv(PIP_INDEX_URL=None)
+
+    if raw_metadata:
+        return json.loads(raw_metadata)  # type: ignore[no-any-return]
+
+    die(f"Could not retrieve project metadata of '{project_path}'.")
+
+
 def get_site_packages(interpreter: Path) -> Path:
     """Return the path to the virtual environments site-packages."""
     return Path(

csspin_python/python_sbom.py

@@ -0,0 +1,196 @@
+# -*- mode: python; coding: utf-8 -*-
+#
+# Copyright (C) 2026 CONTACT Software GmbH
+# https://www.contact-software.com/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Module implementing the python_sbom plugin for csspin"""
+
+import json
+import sys
+from subprocess import DEVNULL, PIPE
+from tempfile import TemporaryDirectory
+
+from csspin import (
+    Verbosity,
+    backtick,
+    config,
+    die,
+    exists,
+    info,
+    memoizer,
+    rmtree,
+    sh,
+    task,
+)
+from csspin.tree import ConfigTree
+from packaging.requirements import Requirement
+from path import Path
+
+defaults = config(
+    cyclonedx_bom_version="7.3.0",
+    project_paths=["{spin.project_root}"],
+    requires=config(spin=["csspin_python.python"]),
+)
+
+
+@task("python-sbom", when="sbom:build")
+def sbom(cfg: ConfigTree) -> None:
+    """
+    Create the SBOMs for Python projects defined in via
+    'python_sbom.project_paths'.
+
+    This task assumes that the current package defines its dependencies that
+    are to be included in the SBOM via the "thirdparty" extra.
+
+    If there is no such extra, the SBOM generation is skipped.
+    """
+    from csspin_python.python import get_project_metadata
+
+    stderr = PIPE if cfg.verbosity > Verbosity.NORMAL else DEVNULL
+    for project_path in cfg.python_sbom.project_paths:
+        if not exists(project_path):
+            die(f"Project path '{project_path}' does not exist.")
+
+        project_path = Path(project_path).absolute()
+        metadata = get_project_metadata(project_path, cfg.python.index_url)
+        third_party_deps = _collect_thirdparty_deps(
+            metadata.get("requires_dist", set()), python_version=cfg.python.version
+        )
+        sbom_content = _run_cyclonedx(cfg, third_party_deps, stderr)
+        _write_sbom(cfg, sbom_content, metadata.get("name"), metadata.get("version"))
+
+
+def cleanup(cfg: ConfigTree) -> None:
+    """Get rid of all generated .cdx.json files and the cyclonedx-bom venv."""
+    for cdx_file in cfg.spin.project_root.glob("*.python_sbom.cdx.json"):
+        rmtree(cdx_file)
+    rmtree(cfg.spin.project_root / ".spin" / "venv_csspin_python__python_sbom")
+
+
+# ---- Internals ---------------------------------------------------------------
+
+
+def _ensure_cyclonedx_venv(cfg: ConfigTree, binary_dir: str, quiet: str | None) -> Path:
+    """Return the cyclonedx-bom interpreter path, (re)creating the venv if needed.
+
+    We install cyclonedx-bom into a persistent venv since defining it as a
+    dependency of csspin-python itself doesn't work at this moment.
+    See https://github.com/CycloneDX/cyclonedx-python/issues/1045
+    """
+    venv_cdx = cfg.spin.project_root / ".spin" / "venv_csspin_python__python_sbom"
+    interpreter_cdx = venv_cdx / binary_dir / "python" + cfg.platform.exe
+
+    requested_version = cfg.python_sbom.cyclonedx_bom_version
+    memo_key = f"cyclonedx-bom=={requested_version}"
+    memo_file = venv_cdx / "csspin_python_sbom.memo"
+
+    if venv_cdx.exists():
+        with memoizer(memo_file) as memo:
+            if memo.check(memo_key):
+                info(
+                    f"Reusing existing cyclonedx-bom {requested_version} from {venv_cdx}"
+                )
+                return interpreter_cdx
+        info(
+            f"cyclonedx-bom version mismatch (wanted={requested_version}), "
+            f"recreating {venv_cdx}"
+        )
+        rmtree(venv_cdx)
+
+    sh(cfg.python.interpreter, "-m", "venv", venv_cdx)
+    sh(
+        interpreter_cdx,
+        "-m",
+        "pip",
+        quiet,
+        "--disable-pip-version-check",
+        "install",
+        "--index-url",
+        cfg.python.index_url,
+        "cyclonedx-bom==" + requested_version,
+    )
+    with memoizer(memo_file) as memo:
+        memo.add(memo_key)
+    return interpreter_cdx
+
+
+def _run_cyclonedx(cfg: ConfigTree, third_party_deps: set[str], stderr: int) -> str:
+    """
+    Install third-party deps into a temp venv and return the CycloneDX JSON.
+    """
+
+    binary_dir = "Scripts" if sys.platform == "win32" else "bin"
+    quiet = None if cfg.verbosity > Verbosity.NORMAL else "-q"
+    interpreter_cdx = _ensure_cyclonedx_venv(cfg, binary_dir, quiet)
+
+    with TemporaryDirectory() as tmp_dir:
+        venv = Path(tmp_dir) / "venv"
+        interpreter = venv / binary_dir / "python" + cfg.platform.exe
+        sh(cfg.python.interpreter, "-m", "venv", venv)
+        if third_party_deps:
+            sh(
+                interpreter,
+                "-m",
+                "pip",
+                quiet,
+                "install",
+                "--index-url",
+                cfg.python.index_url,
+                *[
+                    f"--constraint={constraint}"
+                    for constraint in cfg.python.constraints
+                ],
+                *third_party_deps,
+                stderr=stderr,
+            )
+        sh(interpreter, "-m", "pip", quiet, "uninstall", "-y", "pip")
+        return backtick(interpreter_cdx, "-m", "cyclonedx_py", "environment", venv, stderr=stderr)  # type: ignore[no-any-return] # noqa: E501
+
+
+def _write_sbom(
+    cfg: ConfigTree, content: str, project_name: str, project_version: str
+) -> None:
+    """Inject project metadata into the cyclonedx JSON and write the output file."""
+    output_file = cfg.spin.project_root / f"{project_name}.python_sbom.cdx.json"
+    # cyclonedx-bom doesn't add primary component name and version when not
+    # using pyproject.toml
+    sbom_json = json.loads(content)
+    sbom_json |= {
+        "metadata": {"component": {"name": project_name, "version": project_version}}
+    }
+    with open(output_file, "w", encoding="utf-8") as f:
+        json.dump(sbom_json, f, indent=2, sort_keys=True)
+    info(f"Generated Python SBOM successfully ({output_file})")
+
+
+def _collect_thirdparty_deps(requires_dist: list, python_version: str) -> set[str]:
+    """Extract 'thirdparty' dependency specifiers from project metadata."""
+
+    import platform
+
+    env = {
+        "sys_platform": sys.platform,
+        "extra": "thirdparty",
+        "platform_system": platform.system(),
+        "python_version": python_version,
+    }
+
+    dependencies = set()
+
+    for require in requires_dist:
+        req = Requirement(require)
+        if req.marker and req.marker.evaluate(environment=env):
+            dependencies.add(req.name + str(req.specifier))
+    return dependencies

csspin_python/python_sbom_schema.yaml

@@ -0,0 +1,18 @@
+# -*- mode: yaml; coding: utf-8 -*-
+#
+# Schema for the python_sbom plugin for csspin
+
+python_sbom:
+    type: object
+    help: Configuration related to the python_sbom plugin for csspin
+    properties:
+        project_paths:
+            type: list
+            help: |
+                List of paths to the Python projects for which to generate the
+                SBOM.
+        cyclonedx_version:
+            type: str
+            help: |
+                Version of the cyclonedx-bom package to use for generating the
+                SBOM.

{csspin_python-4.0.0.dist-info → csspin_python-4.1.0rc1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: csspin-python
-Version: 4.0.0
+Version: 4.1.0rc1
 Summary: Plugin-package for csspin providing Python related plugins
 Author-email: CONTACT Software GmbH <info@contact-software.com>
 Maintainer-email: Waleri Enns <waleri.enns@contact-software.com>, Benjamin Thomas Schwertfeger <benjaminthomas.schwertfeger@contact-software.com>, Fabian Hafer <fabian.hafer@contact-software.com>
@@ -45,18 +45,21 @@ The following plugins are available:
 - `csspin_python.debugpy`: A plugin for debugging Python code using `debugpy`_.
 - `csspin_python.devpi`: A plugin for simplified usage of `devpi`_.
 - `csspin_python.pytest`: A plugin for running tests using pytest.
-- `csspin_python.python`: A plugin for provisioning Python environments  and
-  installing dependencies.
+- `csspin_python.python`: A plugin for provisioning Python environments,
+  installing dependencies, and managing the virtual environment.
+- `csspin_python.python_sbom`: A plugin for generating a `CycloneDX`_ Software
+  Bill of Materials (SBOM) for Python third-party dependencies.
 - `csspin_python.radon`: A plugin for running `radon`_ to analyze code
   complexity.
 - `csspin_python.sphinx`: A plugin for building Sphinx documentation.
 - `csspin_python.playwright`: A plugin for running tests using `playwright`_.
   This plugin is deprecated, use the pytest plugin with the
   'pytest.playwright.enabled=true' setting instead.
-- `csspin_python.uv_provisioner`: A plugin that uses `uv`_ to provision the Python environment.
+- `csspin_python.uv_provisioner`: A plugin that uses `uv`_ to provision the
+  Python environment.
 
 The package provides an ``aws_auth`` extra, that, if enabled, can authenticate
-to `CONTACT Software GmbH`_'s AWS Codeartifact. It also provides an ``uv``
+to `CONTACT Software GmbH`_'s AWS CodeArtifact. It also provides an ``uv``
 extra, that is necessary for using the ``csspin_python.uv_provisioner`` plugin.
 
 Prerequisites
@@ -120,4 +123,5 @@ tests using ``spin pytest`` and do other great things.
 .. _`devpi`: https://pypi.org/project/devpi
 .. _`playwright`: https://pypi.org/project/pytest-playwright
 .. _`radon`: https://pypi.org/project/radon
+.. _`CycloneDX`: https://cyclonedx.org/
 .. _`uv`: https://docs.astral.sh/uv/

{csspin_python-4.0.0.dist-info → csspin_python-4.1.0rc1.dist-info}/RECORD

@@ -8,14 +8,16 @@ csspin_python/playwright.py,sha256=oFfphLqa4AB6K9vasCUFHN0kFXu63n3ocrsqVuRp4-0,5
 csspin_python/playwright_schema.yaml,sha256=TSeR16YHa7m7bfO59F2eMV-jXcglluTJdEpUeL16saY,1178
 csspin_python/pytest.py,sha256=N9YaU_ouQab0PFPf46HLE7Vg4JeoZW4dzVD7EevqJ1U,4573
 csspin_python/pytest_schema.yaml,sha256=tzXtdF6MvGC9v59EVRJFfLeMMHqPsXcFXy2zJtRECBI,1535
-csspin_python/python.py,sha256=ogmaOdaXXZHaCYaPa0b2y11Rn6ZgMgzRftUG6-seBWM,36824
+csspin_python/python.py,sha256=yqH1eG6mqRJomu-F99cB74PFaUzbSoG_dhpUjYwr1xE,37725
+csspin_python/python_sbom.py,sha256=RpqobiJ768Q6no7uwYAqvykp1-Bj0bkvED3a3pZbEBI,6817
+csspin_python/python_sbom_schema.yaml,sha256=VCxY9E2AG_fS00dvIYe6Fbvz1maPjpY0zyZK1Z0wJu4,538
 csspin_python/python_schema.yaml,sha256=pgVVjByUYjxQWek7aFmjQzRwmq2ROLvHYgwGPMrT9sM,6351
 csspin_python/radon.py,sha256=uFqm6FEi5oWj-_XVaAm3s9cam0cUmr1_FwRf40K6xWs,1876
 csspin_python/radon_schema.yaml,sha256=rlRzXw5z4XbjOVznRiUxWGP4E9hx1Jm-gGw1iQiYzE0,548
 csspin_python/uv_provisioner.py,sha256=1e-_Sb39JrqNWyaUNeBX59R5tutXLJ1ZsT7urCN1U0I,6044
 csspin_python/uv_provisioner_schema.yaml,sha256=Y8ZNC2OMnhR8Us3WUXAXK9hMjqGWAKFJB2puX4X5XNQ,727
-csspin_python-4.0.0.dist-info/licenses/LICENSE,sha256=4MAecetnRTQw5DlHtiikDSzKWO1xVLwzM5_DsPMYlnE,10172
-csspin_python-4.0.0.dist-info/METADATA,sha256=yC8s-jxM6RQjQWi6UsukDCZlGdoV_NOFubcZ0Y-QERM,5035
-csspin_python-4.0.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
-csspin_python-4.0.0.dist-info/top_level.txt,sha256=QSeglMEGbFu1z4L6MCQYwo01NgL0KojWvC4rzgMQ8gU,14
-csspin_python-4.0.0.dist-info/RECORD,,
+csspin_python-4.1.0rc1.dist-info/licenses/LICENSE,sha256=4MAecetnRTQw5DlHtiikDSzKWO1xVLwzM5_DsPMYlnE,10172
+csspin_python-4.1.0rc1.dist-info/METADATA,sha256=kW0dZXu1Wwuhw4EooWroAHOZGMw5wjBso1MFJDzkJX8,5257
+csspin_python-4.1.0rc1.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+csspin_python-4.1.0rc1.dist-info/top_level.txt,sha256=QSeglMEGbFu1z4L6MCQYwo01NgL0KojWvC4rzgMQ8gU,14
+csspin_python-4.1.0rc1.dist-info/RECORD,,