Add SBOM export support

Cargo.toml

@@ -103,6 +103,7 @@ configparser = { version = "3.1.0" }
 console = { version = "0.16.0", default-features = false, features = ["std"] }
 csv = { version = "1.3.0" }
 ctrlc = { version = "3.4.5" }
+cyclonedx-bom = { version = "0.8.0" }
 dashmap = { version = "6.1.0" }
 data-encoding = { version = "2.6.0" }
 dotenvy = { version = "0.15.7" }

crates/uv-cli/src/lib.rs

@@ -14,8 +14,8 @@ use clap::{Args, Parser, Subcommand};
 use uv_auth::Service;
 use uv_cache::CacheArgs;
 use uv_configuration::{
-    ExportFormat, IndexStrategy, KeyringProviderType, PackageNameSpecifier, ProjectBuildBackend,
-    TargetTriple, TrustedHost, TrustedPublishing, VersionControlSystem,
+    ExportFormat, IndexStrategy, KeyringProviderType, PackageNameSpecifier, PipCompileFormat,
+    ProjectBuildBackend, TargetTriple, TrustedHost, TrustedPublishing, VersionControlSystem,
 };
 use uv_distribution_types::{
     ConfigSettingEntry, ConfigSettingPackageEntry, Index, IndexUrl, Origin, PipExtraIndex,
@@ -1442,7 +1442,7 @@ pub struct PipCompileArgs {
     /// uv will infer the output format from the file extension of the output file, if
     /// provided. Otherwise, defaults to `requirements.txt`.
     #[arg(long, value_enum)]
-    pub format: Option<ExportFormat>,
+    pub format: Option<PipCompileFormat>,
 
     /// Include extras in the output file.
     ///
@@ -4543,9 +4543,10 @@ pub struct TreeArgs {
 
 #[derive(Args)]
 pub struct ExportArgs {
+    #[allow(clippy::doc_markdown)]
     /// The format to which `uv.lock` should be exported.
     ///
-    /// Supports both `requirements.txt` and `pylock.toml` (PEP 751) output formats.
+    /// Supports `requirements.txt`, `pylock.toml` (PEP 751) and CycloneDX v1.5 JSON output formats.
     ///
     /// uv will infer the output format from the file extension of the output file, if
     /// provided. Otherwise, defaults to `requirements.txt`.

crates/uv-configuration/src/export_format.rs

@@ -15,4 +15,30 @@ pub enum ExportFormat {
     #[serde(rename = "pylock.toml", alias = "pylock-toml")]
     #[cfg_attr(feature = "clap", clap(name = "pylock.toml", alias = "pylock-toml"))]
     PylockToml,
+    /// Export in `CycloneDX` v1.5 JSON format.
+    #[serde(rename = "cyclonedx1.5")]
+    #[cfg_attr(
+        feature = "clap",
+        clap(name = "cyclonedx1.5", alias = "cyclonedx1.5+json")
+    )]
+    CycloneDX1_5,
+}
+
+/// The output format to use in `uv pip compile`.
+#[derive(Debug, Default, Clone, Copy, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(deny_unknown_fields, rename_all = "kebab-case")]
+#[cfg_attr(feature = "clap", derive(clap::ValueEnum))]
+pub enum PipCompileFormat {
+    /// Export in `requirements.txt` format.
+    #[default]
+    #[serde(rename = "requirements.txt", alias = "requirements-txt")]
+    #[cfg_attr(
+        feature = "clap",
+        clap(name = "requirements.txt", alias = "requirements-txt")
+    )]
+    RequirementsTxt,
+    /// Export in `pylock.toml` format.
+    #[serde(rename = "pylock.toml", alias = "pylock-toml")]
+    #[cfg_attr(feature = "clap", clap(name = "pylock.toml", alias = "pylock-toml"))]
+    PylockToml,
 }

crates/uv-preview/src/lib.rs

@@ -25,6 +25,7 @@ bitflags::bitflags! {
         const WORKSPACE_METADATA = 1 << 13;
         const WORKSPACE_DIR = 1 << 14;
         const WORKSPACE_LIST = 1 << 15;
+        const SBOM_EXPORT = 1 << 16;
     }
 }
 
@@ -50,6 +51,7 @@ impl PreviewFeatures {
             Self::WORKSPACE_METADATA => "workspace-metadata",
             Self::WORKSPACE_DIR => "workspace-dir",
             Self::WORKSPACE_LIST => "workspace-list",
+            Self::SBOM_EXPORT => "sbom-export",
             _ => panic!("`flag_as_str` can only be used for exactly one feature flag"),
         }
     }
@@ -103,6 +105,7 @@ impl FromStr for PreviewFeatures {
                 "workspace-metadata" => Self::WORKSPACE_METADATA,
                 "workspace-dir" => Self::WORKSPACE_DIR,
                 "workspace-list" => Self::WORKSPACE_LIST,
+                "sbom-export" => Self::SBOM_EXPORT,
                 _ => {
                     warn_user_once!("Unknown preview feature: `{part}`");
                     continue;
@@ -278,6 +281,7 @@ mod tests {
         );
         assert_eq!(PreviewFeatures::FORMAT.flag_as_str(), "format");
         assert_eq!(PreviewFeatures::S3_ENDPOINT.flag_as_str(), "s3-endpoint");
+        assert_eq!(PreviewFeatures::SBOM_EXPORT.flag_as_str(), "sbom-export");
     }
 
     #[test]

crates/uv-resolver/Cargo.toml

@@ -33,6 +33,7 @@ uv-once-map = { workspace = true }
 uv-pep440 = { workspace = true }
 uv-pep508 = { workspace = true }
 uv-platform-tags = { workspace = true }
+uv-preview = { workspace = true }
 uv-pypi-types = { workspace = true }
 uv-python = { workspace = true }
 uv-redacted = { workspace = true }
@@ -41,11 +42,13 @@ uv-small-str = { workspace = true }
 uv-static = { workspace = true }
 uv-torch = { workspace = true }
 uv-types = { workspace = true }
+uv-version = { workspace = true }
 uv-warnings = { workspace = true }
 uv-workspace = { workspace = true }
 
 arcstr = { workspace = true }
 clap = { workspace = true, features = ["derive"], optional = true }
+cyclonedx-bom = { workspace = true }
 dashmap = { workspace = true }
 either = { workspace = true }
 fs-err = { workspace = true, features = ["tokio"] }
@@ -55,6 +58,7 @@ indexmap = { workspace = true }
 itertools = { workspace = true }
 jiff = { workspace = true, features = ["serde"] }
 owo-colors = { workspace = true }
+percent-encoding = { workspace = true }
 petgraph = { workspace = true }
 pubgrub = { workspace = true }
 rkyv = { workspace = true }

crates/uv-resolver/src/lib.rs

@@ -9,7 +9,7 @@ pub use fork_strategy::ForkStrategy;
 pub use lock::{
     Installable, Lock, LockError, LockVersion, Package, PackageMap, PylockToml,
     PylockTomlErrorKind, RequirementsTxtExport, ResolverManifest, SatisfiesResult, TreeDisplay,
-    VERSION,
+    VERSION, cyclonedx_json,
 };
 pub use manifest::Manifest;
 pub use options::{Flexibility, Options, OptionsBuilder};