uv-sbom-bin 1.0.0__tar.gz → 1.1.0__tar.gz

uv_sbom_bin-1.1.0/PKG-INFO

@@ -0,0 +1,194 @@
+Metadata-Version: 2.4
+Name: uv-sbom-bin
+Version: 1.1.0
+Summary: Python wrapper for uv-sbom - SBOM generation tool for uv projects
+Project-URL: Homepage, https://github.com/Taketo-Yoda/uv-sbom
+Project-URL: Repository, https://github.com/Taketo-Yoda/uv-sbom
+Project-URL: Bug Tracker, https://github.com/Taketo-Yoda/uv-sbom/issues
+Author-email: Taketo Yoda <exhaust7.drs@gmail.com>
+License: MIT
+Keywords: cyclonedx,python-wrapper,sbom,security,supply-chain,uv
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Build Tools
+Classifier: Topic :: System :: Software Distribution
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+
+# uv-sbom-bin
+
+[![PyPI - Version](https://img.shields.io/pypi/v/uv-sbom-bin?logo=python&logoColor=white)](https://pypi.org/project/uv-sbom-bin/)
+[![PyPI - Downloads](https://img.shields.io/pypi/dm/uv-sbom-bin?logo=pypi&logoColor=white)](https://pypi.org/project/uv-sbom-bin/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/Taketo-Yoda/uv-sbom/blob/main/LICENSE)
+[![CI](https://github.com/Taketo-Yoda/uv-sbom/actions/workflows/ci.yml/badge.svg)](https://github.com/Taketo-Yoda/uv-sbom/actions/workflows/ci.yml)
+
+Python wrapper for the `uv-sbom` CLI tool written in Rust.
+
+Generate SBOMs (Software Bill of Materials) for Python projects managed by [uv](https://github.com/astral-sh/uv).
+
+## Features
+
+- **Fast and standalone** - Written in Rust, no Python dependencies required at runtime
+- **Multiple output formats** - CycloneDX 1.6 JSON (standard) and Markdown (human-readable)
+- **Vulnerability scanning** - Check for known CVEs using OSV API with `--check-cve`
+- **Configurable thresholds** - Filter vulnerabilities by severity or CVSS score
+- **Package exclusion** - Exclude internal packages with `--exclude` patterns
+- **Configuration file support** - Define defaults in `uv-sbom.config.yml`
+- **CI/CD ready** - Exit codes for easy integration into pipelines
+- **License detection** - Automatically fetches license info from PyPI
+
+## Why uv-sbom?
+
+Unlike other SBOM tools that scan the entire virtual environment, `uv-sbom` focuses on **production runtime dependencies** from `uv.lock`:
+
+| Aspect | uv-sbom | CycloneDX Official Tools |
+|--------|---------|--------------------------|
+| **Data Source** | `uv.lock` file | `.venv` virtual environment |
+| **Scope** | Production dependencies only | Entire supply chain |
+| **Package Count** | Fewer (e.g., 16 packages) | More (e.g., 38+ packages) |
+| **Use Case** | Production security scanning | Comprehensive audit |
+
+This focused approach reduces noise in security scanning by excluding build-time dependencies that don't ship with your application.
+
+## Installation
+
+### Via uv (Recommended)
+
+```bash
+uv tool install uv-sbom-bin
+```
+
+### Via pip
+
+```bash
+pip install uv-sbom-bin
+```
+
+After installation, the `uv-sbom` command will be available in your PATH.
+
+> **Note**: The package name is `uv-sbom-bin`, but the installed command is `uv-sbom`.
+
+## Usage
+
+### Basic Commands
+
+```bash
+# Show version
+uv-sbom --version
+
+# Generate CycloneDX JSON SBOM (default)
+uv-sbom --format json
+
+# Generate Markdown SBOM
+uv-sbom --format markdown --output SBOM.md
+```
+
+### Vulnerability Checking
+
+```bash
+# Check for all vulnerabilities
+uv-sbom --format markdown --check-cve
+
+# Check for High/Critical severity only
+uv-sbom --format markdown --check-cve --severity-threshold high
+
+# Check for CVSS >= 7.0
+uv-sbom --format markdown --check-cve --cvss-threshold 7.0
+
+# Ignore specific CVEs
+uv-sbom --format markdown --check-cve --ignore-cve CVE-2024-1234
+```
+
+### Excluding Packages
+
+```bash
+# Exclude specific packages
+uv-sbom -e "pytest" -e "mypy"
+
+# Exclude with wildcards
+uv-sbom -e "*-dev" -e "debug-*"
+```
+
+### Configuration File
+
+Create a `uv-sbom.config.yml` file in your project directory:
+
+```yaml
+format: markdown
+check_cve: true
+severity_threshold: high
+exclude_packages:
+  - "pytest"
+  - "*-dev"
+ignore_cves:
+  - id: CVE-2024-1234
+    reason: "False positive for our use case"
+```
+
+Generate a template:
+
+```bash
+uv-sbom --init
+```
+
+### CI Integration
+
+```yaml
+# GitHub Actions example
+- name: Security Check
+  run: uv-sbom --format markdown --check-cve --severity-threshold high
+```
+
+## Output Example
+
+Markdown format with vulnerability report:
+
+```markdown
+# Software Bill of Materials (SBOM)
+
+## Component Inventory
+
+| Package | Version | License | Description |
+|---------|---------|---------|-------------|
+| requests | 2.31.0 | Apache 2.0 | HTTP library for Python |
+| pydantic | 2.12.5 | MIT | Data validation using Python type hints |
+
+## Vulnerability Report
+
+| Package | Current | Fixed | CVSS | Severity | CVE ID |
+|---------|---------|-------|------|----------|--------|
+| urllib3 | 2.0.0 | 2.0.7 | 9.8 | CRITICAL | CVE-2023-45803 |
+```
+
+## How It Works
+
+This package downloads the prebuilt Rust binary for your platform from the [GitHub releases](https://github.com/Taketo-Yoda/uv-sbom/releases) and installs it.
+
+**Supported platforms:**
+- macOS (Apple Silicon and Intel)
+- Linux (x86_64)
+- Windows (x86_64)
+
+## Full Documentation
+
+For comprehensive documentation including:
+- Complete command-line reference
+- Security input validation details
+- Network requirements and proxy configuration
+- Exit codes and error handling
+- Troubleshooting guide
+
+Visit the main repository: **[uv-sbom on GitHub](https://github.com/Taketo-Yoda/uv-sbom)**
+
+## License
+
+MIT License - see [LICENSE](https://github.com/Taketo-Yoda/uv-sbom/blob/main/LICENSE)

uv_sbom_bin-1.1.0/README.md

@@ -0,0 +1,168 @@
+# uv-sbom-bin
+
+[![PyPI - Version](https://img.shields.io/pypi/v/uv-sbom-bin?logo=python&logoColor=white)](https://pypi.org/project/uv-sbom-bin/)
+[![PyPI - Downloads](https://img.shields.io/pypi/dm/uv-sbom-bin?logo=pypi&logoColor=white)](https://pypi.org/project/uv-sbom-bin/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/Taketo-Yoda/uv-sbom/blob/main/LICENSE)
+[![CI](https://github.com/Taketo-Yoda/uv-sbom/actions/workflows/ci.yml/badge.svg)](https://github.com/Taketo-Yoda/uv-sbom/actions/workflows/ci.yml)
+
+Python wrapper for the `uv-sbom` CLI tool written in Rust.
+
+Generate SBOMs (Software Bill of Materials) for Python projects managed by [uv](https://github.com/astral-sh/uv).
+
+## Features
+
+- **Fast and standalone** - Written in Rust, no Python dependencies required at runtime
+- **Multiple output formats** - CycloneDX 1.6 JSON (standard) and Markdown (human-readable)
+- **Vulnerability scanning** - Check for known CVEs using OSV API with `--check-cve`
+- **Configurable thresholds** - Filter vulnerabilities by severity or CVSS score
+- **Package exclusion** - Exclude internal packages with `--exclude` patterns
+- **Configuration file support** - Define defaults in `uv-sbom.config.yml`
+- **CI/CD ready** - Exit codes for easy integration into pipelines
+- **License detection** - Automatically fetches license info from PyPI
+
+## Why uv-sbom?
+
+Unlike other SBOM tools that scan the entire virtual environment, `uv-sbom` focuses on **production runtime dependencies** from `uv.lock`:
+
+| Aspect | uv-sbom | CycloneDX Official Tools |
+|--------|---------|--------------------------|
+| **Data Source** | `uv.lock` file | `.venv` virtual environment |
+| **Scope** | Production dependencies only | Entire supply chain |
+| **Package Count** | Fewer (e.g., 16 packages) | More (e.g., 38+ packages) |
+| **Use Case** | Production security scanning | Comprehensive audit |
+
+This focused approach reduces noise in security scanning by excluding build-time dependencies that don't ship with your application.
+
+## Installation
+
+### Via uv (Recommended)
+
+```bash
+uv tool install uv-sbom-bin
+```
+
+### Via pip
+
+```bash
+pip install uv-sbom-bin
+```
+
+After installation, the `uv-sbom` command will be available in your PATH.
+
+> **Note**: The package name is `uv-sbom-bin`, but the installed command is `uv-sbom`.
+
+## Usage
+
+### Basic Commands
+
+```bash
+# Show version
+uv-sbom --version
+
+# Generate CycloneDX JSON SBOM (default)
+uv-sbom --format json
+
+# Generate Markdown SBOM
+uv-sbom --format markdown --output SBOM.md
+```
+
+### Vulnerability Checking
+
+```bash
+# Check for all vulnerabilities
+uv-sbom --format markdown --check-cve
+
+# Check for High/Critical severity only
+uv-sbom --format markdown --check-cve --severity-threshold high
+
+# Check for CVSS >= 7.0
+uv-sbom --format markdown --check-cve --cvss-threshold 7.0
+
+# Ignore specific CVEs
+uv-sbom --format markdown --check-cve --ignore-cve CVE-2024-1234
+```
+
+### Excluding Packages
+
+```bash
+# Exclude specific packages
+uv-sbom -e "pytest" -e "mypy"
+
+# Exclude with wildcards
+uv-sbom -e "*-dev" -e "debug-*"
+```
+
+### Configuration File
+
+Create a `uv-sbom.config.yml` file in your project directory:
+
+```yaml
+format: markdown
+check_cve: true
+severity_threshold: high
+exclude_packages:
+  - "pytest"
+  - "*-dev"
+ignore_cves:
+  - id: CVE-2024-1234
+    reason: "False positive for our use case"
+```
+
+Generate a template:
+
+```bash
+uv-sbom --init
+```
+
+### CI Integration
+
+```yaml
+# GitHub Actions example
+- name: Security Check
+  run: uv-sbom --format markdown --check-cve --severity-threshold high
+```
+
+## Output Example
+
+Markdown format with vulnerability report:
+
+```markdown
+# Software Bill of Materials (SBOM)
+
+## Component Inventory
+
+| Package | Version | License | Description |
+|---------|---------|---------|-------------|
+| requests | 2.31.0 | Apache 2.0 | HTTP library for Python |
+| pydantic | 2.12.5 | MIT | Data validation using Python type hints |
+
+## Vulnerability Report
+
+| Package | Current | Fixed | CVSS | Severity | CVE ID |
+|---------|---------|-------|------|----------|--------|
+| urllib3 | 2.0.0 | 2.0.7 | 9.8 | CRITICAL | CVE-2023-45803 |
+```
+
+## How It Works
+
+This package downloads the prebuilt Rust binary for your platform from the [GitHub releases](https://github.com/Taketo-Yoda/uv-sbom/releases) and installs it.
+
+**Supported platforms:**
+- macOS (Apple Silicon and Intel)
+- Linux (x86_64)
+- Windows (x86_64)
+
+## Full Documentation
+
+For comprehensive documentation including:
+- Complete command-line reference
+- Security input validation details
+- Network requirements and proxy configuration
+- Exit codes and error handling
+- Troubleshooting guide
+
+Visit the main repository: **[uv-sbom on GitHub](https://github.com/Taketo-Yoda/uv-sbom)**
+
+## License
+
+MIT License - see [LICENSE](https://github.com/Taketo-Yoda/uv-sbom/blob/main/LICENSE)

{uv_sbom_bin-1.0.0 → uv_sbom_bin-1.1.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "uv-sbom-bin"
-version = "1.0.0"
+version = "1.1.0"
 description = "Python wrapper for uv-sbom - SBOM generation tool for uv projects"
 readme = "README.md"
 license = { text = "MIT" }

{uv_sbom_bin-1.0.0 → uv_sbom_bin-1.1.0}/uv_sbom_bin/install.py

@@ -9,7 +9,7 @@ from pathlib import Path
 from urllib.request import urlretrieve
 
 # Version of uv-sbom to install
-UV_SBOM_VERSION = "1.0.0"
+UV_SBOM_VERSION = "1.1.0"
 
 # GitHub release URL template
 RELEASE_URL_TEMPLATE = (

uv_sbom_bin-1.0.0/PKG-INFO

@@ -1,73 +0,0 @@
-Metadata-Version: 2.4
-Name: uv-sbom-bin
-Version: 1.0.0
-Summary: Python wrapper for uv-sbom - SBOM generation tool for uv projects
-Project-URL: Homepage, https://github.com/Taketo-Yoda/uv-sbom
-Project-URL: Repository, https://github.com/Taketo-Yoda/uv-sbom
-Project-URL: Bug Tracker, https://github.com/Taketo-Yoda/uv-sbom/issues
-Author-email: Taketo Yoda <exhaust7.drs@gmail.com>
-License: MIT
-Keywords: cyclonedx,python-wrapper,sbom,security,supply-chain,uv
-Classifier: Development Status :: 5 - Production/Stable
-Classifier: Intended Audience :: Developers
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Operating System :: OS Independent
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Topic :: Security
-Classifier: Topic :: Software Development :: Build Tools
-Classifier: Topic :: System :: Software Distribution
-Requires-Python: >=3.8
-Description-Content-Type: text/markdown
-
-# uv-sbom-bin
-
-Python wrapper for the `uv-sbom` CLI tool written in Rust.
-
-This package allows Python users to install `uv-sbom` via PyPI and use it with `uv tool install`.
-
-## Installation
-
-### Via pip
-
-```bash
-pip install uv-sbom-bin
-```
-
-### Via uv
-
-```bash
-uv tool install uv-sbom-bin
-```
-
-## Usage
-
-After installation, the `uv-sbom` command will be available in your PATH:
-
-```bash
-uv-sbom --version
-uv-sbom --format json
-uv-sbom --format markdown --output SBOM.md
-```
-
-## How It Works
-
-This package downloads the prebuilt Rust binary for your platform from the [GitHub releases](https://github.com/Taketo-Yoda/uv-sbom/releases) and installs it.
-
-Supported platforms:
-- macOS (Apple Silicon and Intel)
-- Linux (x86_64)
-- Windows (x86_64)
-
-## Development
-
-This is a wrapper package. The actual tool is developed at:
-https://github.com/Taketo-Yoda/uv-sbom
-
-## License
-
-MIT License - see [LICENSE](https://github.com/Taketo-Yoda/uv-sbom/blob/main/LICENSE)

uv_sbom_bin-1.0.0/README.md

@@ -1,47 +0,0 @@
-# uv-sbom-bin
-
-Python wrapper for the `uv-sbom` CLI tool written in Rust.
-
-This package allows Python users to install `uv-sbom` via PyPI and use it with `uv tool install`.
-
-## Installation
-
-### Via pip
-
-```bash
-pip install uv-sbom-bin
-```
-
-### Via uv
-
-```bash
-uv tool install uv-sbom-bin
-```
-
-## Usage
-
-After installation, the `uv-sbom` command will be available in your PATH:
-
-```bash
-uv-sbom --version
-uv-sbom --format json
-uv-sbom --format markdown --output SBOM.md
-```
-
-## How It Works
-
-This package downloads the prebuilt Rust binary for your platform from the [GitHub releases](https://github.com/Taketo-Yoda/uv-sbom/releases) and installs it.
-
-Supported platforms:
-- macOS (Apple Silicon and Intel)
-- Linux (x86_64)
-- Windows (x86_64)
-
-## Development
-
-This is a wrapper package. The actual tool is developed at:
-https://github.com/Taketo-Yoda/uv-sbom
-
-## License
-
-MIT License - see [LICENSE](https://github.com/Taketo-Yoda/uv-sbom/blob/main/LICENSE)