SBOM export support

Cargo.toml

@@ -103,6 +103,7 @@ configparser = { version = "3.1.0" }
 console = { version = "0.16.0", default-features = false, features = ["std"] }
 csv = { version = "1.3.0" }
 ctrlc = { version = "3.4.5" }
+cyclonedx-bom = { version = "0.8.0" }
 dashmap = { version = "6.1.0" }
 data-encoding = { version = "2.6.0" }
 dotenvy = { version = "0.15.7" }

crates/uv-cli/src/lib.rs

@@ -11,8 +11,8 @@ use clap::{Args, Parser, Subcommand};
 use uv_auth::Service;
 use uv_cache::CacheArgs;
 use uv_configuration::{
-    ExportFormat, IndexStrategy, KeyringProviderType, PackageNameSpecifier, ProjectBuildBackend,
-    TargetTriple, TrustedHost, TrustedPublishing, VersionControlSystem,
+    ExportFormat, IndexStrategy, KeyringProviderType, PackageNameSpecifier, PipCompileFormat,
+    ProjectBuildBackend, TargetTriple, TrustedHost, TrustedPublishing, VersionControlSystem,
 };
 use uv_distribution_types::{
     ConfigSettingEntry, ConfigSettingPackageEntry, Index, IndexUrl, Origin, PipExtraIndex,
@@ -1306,7 +1306,7 @@ pub struct PipCompileArgs {
     /// uv will infer the output format from the file extension of the output file, if
     /// provided. Otherwise, defaults to `requirements.txt`.
     #[arg(long, value_enum)]
-    pub format: Option<ExportFormat>,
+    pub format: Option<PipCompileFormat>,
 
     /// Include extras in the output file.
     ///
@@ -4271,7 +4271,7 @@ pub struct TreeArgs {
 pub struct ExportArgs {
     /// The format to which `uv.lock` should be exported.
     ///
-    /// Supports both `requirements.txt` and `pylock.toml` (PEP 751) output formats.
+    /// Supports `requirements.txt`, `pylock.toml` (PEP 751) and `CycloneDX` v1.5 JSON output formats.
     ///
     /// uv will infer the output format from the file extension of the output file, if
     /// provided. Otherwise, defaults to `requirements.txt`.

crates/uv-configuration/src/export_format.rs

@@ -15,4 +15,30 @@ pub enum ExportFormat {
     #[serde(rename = "pylock.toml", alias = "pylock-toml")]
     #[cfg_attr(feature = "clap", clap(name = "pylock.toml", alias = "pylock-toml"))]
     PylockToml,
+    /// Export in `CycloneDX` v1.5 JSON format.
+    #[serde(rename = "cyclonedx1.5")]
+    #[cfg_attr(
+        feature = "clap",
+        clap(name = "cyclonedx1.5", alias = "cyclonedx1.5+json")
+    )]
+    CycloneDX1_5,
+}
+
+/// The output format to use in `uv pip compile`.
+#[derive(Debug, Default, Clone, Copy, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+#[serde(deny_unknown_fields, rename_all = "kebab-case")]
+#[cfg_attr(feature = "clap", derive(clap::ValueEnum))]
+pub enum PipCompileFormat {
+    /// Export in `requirements.txt` format.
+    #[default]
+    #[serde(rename = "requirements.txt", alias = "requirements-txt")]
+    #[cfg_attr(
+        feature = "clap",
+        clap(name = "requirements.txt", alias = "requirements-txt")
+    )]
+    RequirementsTxt,
+    /// Export in `pylock.toml` format.
+    #[serde(rename = "pylock.toml", alias = "pylock-toml")]
+    #[cfg_attr(feature = "clap", clap(name = "pylock.toml", alias = "pylock-toml"))]
+    PylockToml,
 }

crates/uv-preview/src/lib.rs

@@ -20,6 +20,7 @@ bitflags::bitflags! {
         const FORMAT = 1 << 8;
         const NATIVE_AUTH = 1 << 9;
         const S3_ENDPOINT = 1 << 10;
+        const SBOM_EXPORT = 1 << 11;
     }
 }
 
@@ -40,6 +41,7 @@ impl PreviewFeatures {
             Self::FORMAT => "format",
             Self::NATIVE_AUTH => "native-auth",
             Self::S3_ENDPOINT => "s3-endpoint",
+            Self::SBOM_EXPORT => "sbom-export",
             _ => panic!("`flag_as_str` can only be used for exactly one feature flag"),
         }
     }
@@ -88,6 +90,7 @@ impl FromStr for PreviewFeatures {
                 "format" => Self::FORMAT,
                 "native-auth" => Self::NATIVE_AUTH,
                 "s3-endpoint" => Self::S3_ENDPOINT,
+                "sbom-export" => Self::SBOM_EXPORT,
                 _ => {
                     warn_user_once!("Unknown preview feature: `{part}`");
                     continue;
@@ -264,6 +267,7 @@ mod tests {
         );
         assert_eq!(PreviewFeatures::FORMAT.flag_as_str(), "format");
         assert_eq!(PreviewFeatures::S3_ENDPOINT.flag_as_str(), "s3-endpoint");
+        assert_eq!(PreviewFeatures::SBOM_EXPORT.flag_as_str(), "sbom-export");
     }
 
     #[test]

crates/uv-resolver/Cargo.toml

@@ -33,6 +33,7 @@ uv-once-map = { workspace = true }
 uv-pep440 = { workspace = true }
 uv-pep508 = { workspace = true }
 uv-platform-tags = { workspace = true }
+uv-preview = { workspace = true }
 uv-pypi-types = { workspace = true }
 uv-python = { workspace = true }
 uv-redacted = { workspace = true }
@@ -41,11 +42,13 @@ uv-small-str = { workspace = true }
 uv-static = { workspace = true }
 uv-torch = { workspace = true }
 uv-types = { workspace = true }
+uv-version = { workspace = true }
 uv-warnings = { workspace = true }
 uv-workspace = { workspace = true }
 
 arcstr = { workspace = true }
 clap = { workspace = true, features = ["derive"], optional = true }
+cyclonedx-bom = { workspace = true }
 dashmap = { workspace = true }
 either = { workspace = true }
 fs-err = { workspace = true, features = ["tokio"] }
@@ -55,6 +58,7 @@ indexmap = { workspace = true }
 itertools = { workspace = true }
 jiff = { workspace = true, features = ["serde"] }
 owo-colors = { workspace = true }
+percent-encoding = { workspace = true }
 petgraph = { workspace = true }
 pubgrub = { workspace = true }
 rkyv = { workspace = true }

crates/uv-resolver/src/lib.rs

@@ -9,7 +9,7 @@ pub use fork_strategy::ForkStrategy;
 pub use lock::{
     Installable, Lock, LockError, LockVersion, Package, PackageMap, PylockToml,
     PylockTomlErrorKind, RequirementsTxtExport, ResolverManifest, SatisfiesResult, TreeDisplay,
-    VERSION,
+    VERSION, cyclonedx_json,
 };
 pub use manifest::Manifest;
 pub use options::{Flexibility, Options, OptionsBuilder};