Skip to content

feat: add uv subcommand#1028

Draft
m7mdhka wants to merge 5 commits intoCycloneDX:mainfrom
m7mdhka:main
Draft

feat: add uv subcommand#1028
m7mdhka wants to merge 5 commits intoCycloneDX:mainfrom
m7mdhka:main

Conversation

@m7mdhka
Copy link

@m7mdhka m7mdhka commented Mar 22, 2026
edited by jkowalleck
Loading

Description

This pull request adds first-class support for uv-managed projects by implementing a new uv subcommand that builds CycloneDX SBOMs from pyproject.toml and uv.lock, instead of relying only on scanning a virtual environment.

What changed

  • cyclonedx_py/_internal/uv.py (UvBB)
    Resolves dependencies from the lockfile, respects PEP 735 dependency-groups and uv’s group/extra semantics (including options such as --group / --no-group / --only-group, --all-groups, --no-default-groups, --no-dev, -E / --all-extras, and optional resolution-markers handling where applicable). Produces components with PURLs, distribution external references (sdist/wheels), and dependency relationships consistent with other backends.

  • CLI (cyclonedx_py/_internal/cli.py)
    Registers UvBB under the uv subcommand.

  • Documentation

    • README.md: lists uv manifest + lockfile as supported; help snippet includes uv.
    • docs/usage.rst: dedicated “For uv” section with cyclonedx-py uv --help style output and usage notes.

  • Packaging metadata (pyproject.toml)
    Adds uv to package keywords for discoverability.

  • Tests

    • tests/integration/test_cli_uv.py – CLI + snapshot regression for uv fixtures.
    • tests/unit/test_uv.py – unit coverage for uv parsing/behavior.
    • tests/_data/infiles/uv/via-uv/ – sample pyproject.toml + uv.lock.
    • tests/_data/snapshots/uv/ – golden JSON/XML snapshots across CycloneDX spec versions used by the suite.

Quality / CI

  • mypy (mypy-lowest, Python 3.9): marker environment from default_environment(), bom_ref typing helper, and group set typing fixes.
  • flake8: isort order for cli imports; remove duplicate ComponentType in TYPE_CHECKING; # noqa: C901 + signature wrapping where complexity is high; W391 fix on test_cli_uv.py.

Motivation

uv is widely used for lockfile-centric workflows; a dedicated path gives reproducible SBOMs aligned with the lockfile and documents uv-specific behavior in the manual.

Resolves or fixes issue: #1029.

AI Tool Disclosure

  • My contribution does not include any AI-generated content
  • My contribution includes AI-generated content, as disclosed below:
    • AI Tools: OpenAI
    • LLMs and versions: gpt 5.2 (extra-high)
    • Prompts: [e.g. backbone for the uv file, mypy/flake8 fixes]

Affirmation

m7mdhka and others added 5 commits March 23, 2026 01:00
@m7mdhka
feat: add uv subcommand for SBOM from uv.lock
ca3b778 
Implement UvBB to build CycloneDX SBOMs from pyproject.toml and uv.lock,
including dependency groups and extras. Register the subcommand in the CLI,
document usage in README and docs/usage.rst, and add uv to package keywords.

Signed-off-by: Mohammed Abbadi <mhamedrhamnah@gmail.com>
@m7mdhka
fix(uv): satisfy mypy for Python 3.9 lowest
54df6ff 
- Build marker env base from default_environment() items as str/str pairs.
- Use a mutable set when assembling dependency groups before frozenset.
- Add _bom_ref_value helper for non-optional bom_ref string keys.

Signed-off-by: Mohammed Abbadi <mhamedrhamnah@gmail.com>
@m7mdhka
style: fix flake8 for uv CLI and imports
ffc07bf 
- Sort local imports in cli.py for isort (I001).
- Drop duplicate ComponentType in TYPE_CHECKING; add noqa for high-complexity
  uv methods; wrap long signatures (F811, C901, E501, E125).

Signed-off-by: Mohammed Abbadi <mhamedrhamnah@gmail.com>
@deyaa1251
Add uv tests and fixtures
a2277e0
@m7mdhka
style(tests): remove trailing blank line in test_cli_uv
39fc1ca 
Fix flake8 W391 (blank line at end of file).

Signed-off-by: Mohammed Abbadi <mhamedrhamnah@gmail.com>
@m7mdhka m7mdhka requested a review from a team as a code owner March 22, 2026 23:02
@read-the-docs-community
Copy link

read-the-docs-community bot commented Mar 22, 2026

Documentation build overview

📚 CycloneDX Python SBOM Tool | 🛠️ Build #31920658 | 📁 Comparing 39fc1ca against latest (ecf8768)


🔍 Preview build

Show files changed (2 files in total): 📝 2 modified | ➕ 0 added | ➖ 0 deleted
File Status
index.html 📝 modified
usage.html 📝 modified

@jkowalleck
Copy link
Member

jkowalleck commented Mar 23, 2026

thank for your pushing this topic forward.

We dont have any issue discussing integration with uv so far, do we?
Before adding any new capability, please create a issue(ticket), so we can discuss the context, value, (use-/edge-/none-)cases, (technical and non-technical) requirements, etc.

as long as these things are not clarified, i will put this PR in "draft" mode.

@jkowalleck jkowalleck marked this pull request as draft March 23, 2026 14:12
@m7mdhka m7mdhka mentioned this pull request Mar 23, 2026
Open
2 tasks
@jkowalleck jkowalleck linked an issue Mar 24, 2026 that may be closed by this pull request
Feature request: Add native uv project support (pyproject.toml + uv.lock) via cyclonedx-py uv subcommand #1029
Open
2 tasks
@jkowalleck jkowalleck changed the title feat: add uv subcommand for SBOM from pyproject.toml and uv.lock feat: add uv subcommand Mar 24, 2026
@jkowalleck jkowalleck added enhancement New feature or request source: uv labels Mar 24, 2026
@jkowalleck
Copy link
Member

jkowalleck commented Mar 24, 2026

might close #907

@jkowalleck jkowalleck linked an issue Mar 24, 2026 that may be closed by this pull request
feat: Support for uv.lock file from uv package manager #907
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request source: uv

Projects

None yet

Milestone

No milestone

3 participants

@m7mdhka @jkowalleck @deyaa1251