CycloneDX Python Library

---

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.

This Python package provides data models and tools for working with CycloneDX documents.

Note: This package is a software library not intended for standalone use. For generating Software Bill of Materials (SBOM), check out CycloneDX Python or Jake.

Installation

Via pip:

pip install cyclonedx-python-lib

Via Conda:

conda install -c conda-forge cyclonedx-python-lib

Python Support

We endeavor to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.

VEX Support

As of version 3.0.0, the library supports CycloneDX VEX documents production with official example compatibility for linking VEX to separate CycloneDX documents.

Documentation

Complete documentation is available on Read the Docs. This includes:

• API Reference
• Usage Examples
• Integration Guides
• Best Practices

Responsibilities

• Provide a general-purpose Python implementation of CycloneDX
• Provide type hints for implementation support
• Support JSON/XML document parsing and generation
• Validate CycloneDX documents against schema specifications
• Support multiple CycloneDX specification versions
• Maintain comprehensive data models for BOM manipulation
• Enable pip-based installation for downstream usage

Capabilities

Enums

• BomFormat - BOM format types
• ComponentType - Types of components (e.g., APPLICATION, LIBRARY)
• ComponentScope - Component scope types
• DataFlow - Data flow types
• Encoding - Encoding types
• ExternalReferenceType - Types of external references
• HashAlgorithm - Supported hash algorithms
• ImpactAnalysisAffectedStatus - Impact analysis affected status types
• ImpactAnalysisJustification - Impact analysis justification types
• ImpactAnalysisResponse - Impact analysis response types
• ImpactAnalysisState - Impact analysis state types
• IssueClassification - Issue classification types
• LifecyclePhase - Lifecycle phase types
• PatchClassification - Patch classification types
• VulnerabilityScoreSource - Vulnerability score source types
• VulnerabilitySeverity - Vulnerability severity types

Data Models

Core Models

• Bom - Core BOM model
• BomRef - BOM reference handling
• Metadata - BOM metadata

Component & Service Models

• Component - Component representation
• ComponentEvidence - Component evidence data
• Service - Service representation

Dependency Models

• Dependency - Dependency information
• DependencyGraph - Dependency relationships

License Models

• License - Base license model
• LicenseExpression - License expression handling
• NamedLicense - Named license representation
• SpdxLicense - SPDX license support

Analysis Models

• ImpactAnalysis - Impact analysis data
• Issue - Issue tracking
• Vulnerability - Vulnerability information

Reference & Organization Models

• ExternalReference - External reference data
• Hash - Hash information
• OrganizationalContact - Contact information
• OrganizationalEntity - Organization information

Management Models

• Property - Property handling
• Tool - Tool representation

Repository Models

• BomRefRepository - BOM reference management
• ComponentRepository - Component management
• ExternalReferenceRepository - External reference management
• LicenseRepository - License management
• PropertyRepository - Property management
• ToolRepository - Tool management

Utilities

• Serial number generation for BOMs
• Hash calculation helpers
• License expression parsing
• XML/JSON serialization helpers

Specification Support

• 1.6
• 1.5
• 1.4
• 1.3
• 1.2
• 1.1

Contributing

Feel free to open issues, bug reports or pull requests.
See the CONTRIBUTING file for details.

Copyright & License

CycloneDX Python Lib is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.