Skip to content

Tool name: CycloneDX Python Library #60

New issue
New issue
Open
Open
Tool name: CycloneDX Python Library#60
Labels
foss-tool
@jkowalleck

Description

@jkowalleck
jkowalleck
opened on Jan 28, 2025

homepage_url

https://github.com/CycloneDX/cyclonedx-python-lib#readme-ov-file

contact_email

jan.kowalleck [at] owasp.org

code_view_url

https://github.com/CycloneDX/cyclonedx-python-lib

spdx_license_expression

Apache-2.0

description

This Python package(library) provides data models, validators and more, to help you create/render/read CycloneDX documents.

Responsibilities

  • Provide a general purpose Python-implementation of CycloneDX.
  • Provide type hints for said implementation, so developers and dev-tools can rely on it.
  • Provide data models to work with CycloneDX.
  • Provide data model-validators according to CycloneDX Specification.
  • Provide JSON- and XML-serializers, that…
    • support all shipped data models.
    • respect any supported CycloneDX Specification and generates valid output accordingly.
    • generate reproducible/deterministic results.
  • Provide formal JSON- and XML-validators according to CycloneDX Specification.
  • Provide mechanisms for JSON- and XML-deserialization of all shipped data models.
  • Pre-populate bom-ref, so linkage is possible. (affects only some data models)

Capabilities

  • Enums and Data models for the following use cases:
    • Bom and Metadata
    • BomRef
    • Component, Evidence, Patch, Pedigree, and more
    • Organizational Contact and Entity
    • Cryptographic properties and more
    • Definition and Standard
    • Dependency
    • Impact and related Analysis
    • Issue
    • License Named, SPDX, Expression, and more
    • Lifecycle
    • Release Notes
    • Service
    • Tool
    • Vulnerability and related Analysis
    • Attachment Copyright, DataFlow, ExternalReference, Hash, Property, and more
  • Factories for the following use cases:
    • Create data models from any license descriptor string
  • Builders for the following use cases:
    • Build a Component data model that represents this library
    • Build a Tool data model that represents this library
  • Implementation of the CycloneDX Specification for the following versions:
    • 1.6
    • 1.5
    • 1.4
    • 1.3
    • 1.2
    • 1.1
    • 1.0
  • Serializer that converts Bom data models to XML string
  • Serializer that converts Bom data models to JSON string
  • Formal validators for JSON string and XML string.
  • Shipped data model are serializable to and deserializable from both, JSON and XML.

primary_languages

Python

short_term_roadmap

all things are community efforts - come and help/contribute

long_term_roadmap

all things are community efforts - come and help/contribute

proprietary_data

  • Yes, the tool depends on proprietary data sources

commercial_features

  • Yes, the tool has a commercial version with different/additional features

capabilities

  • Identifiers - Use Package-URL (PURL) identifiers
  • Identifiers - Use SPDX license expressions
  • Scanning - Analyze package manifests and lockfiles
  • Scanning - Analyze package files
  • Scanning - Scan for copyright
  • Scanning - Scan for license
  • Scanning - Analyze source code
  • Scanning - Analyze containers
  • Scanning - Analyze installed system packages (linux distros)
  • Scanning - Analyze installed application packages
  • Scanning - Other analysis
  • Packages - Inventory packages
  • Packages - Inventory packages dependencies
  • Packages - Resolve dependencies
  • Packages - Navigate or display dependency graph
  • Compliance - Generate CycloneDX SBOMs
  • Compliance - Generate SPDX SBOMs
  • Compliance - Validate CycloneDX SBOM
  • Compliance - Validate SPDX SBOMs
  • Compliance - Generate CycloneDX VEX
  • Compliance - Generate CSAF VEX
  • Compliance - Generate OpenVex
  • Compliance - Generate other compliance documents
  • Policies - Define and check license policies
  • Policies - Define and check security policies
  • Policies - Define and check other policies
  • Data - Database of Package metadata
  • Data - Database of Package dependency relationships
  • Data - Database of License obligations
  • Data - Database of Licenses
  • Data - Database of Vulnerabilities
  • License - Help triage license issues
  • License - Generate license credit and attribution notices
  • License - Generate source code redistribution lists
  • Vulnerabilities - Detect vulnerable code in packages
  • Vulnerabilities - Find known vulnerabilities for package
  • Vulnerabilities - Determine reachable vulnerabilities
  • Vulnerabilities - Help triage vulnerabilities
  • Binaries - Analyze binaries
  • Binaries - Analyze ELF binaries
  • Binaries - Analyze Windows binaries
  • Binaries - Analyze firmware binaries
  • Binaries - Analyze Other binaries
  • Matching - Match source code
  • Matching - Match binary code
  • Tracing - Trace code execution
  • Tracing - Trace build
  • Code Security - Analyze code statically (SAST/linting)
  • Code Security - Analyze code dynamically (DAST)
  • Download - Source package
  • Download - Source repositories
  • Download - Binary package
  • Deployment - Deployable as containers (Docker/OCI/k8s/etc)
  • Deployment - Deployable in CI/CD pipelines
  • Deployment - Deployable as a library
  • Run - Run as a command line tool
  • Run - Run as a web application
  • Run - Run as an API service

other_capabilities

License triage - When incorrect SPDX license identifiers are detected and can be mapped to correct SPDX License identifiers where possible this is identified

Metadata

Metadata

Assignees

No one assigned

    Labels

    foss-tool

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions