sbomify logo

How to Generate SBOMs for Python Packages with `pipdeptree` and `cyclonedx-py`

By Viktor > 30 JUL, 2024

Software Bill of Materials (SBOMs) are essential for ensuring transparency and security in software supply chains. This guide will show you how to use pipdeptree and cyclonedx-py to generate SBOMs for Python projects, including all transient dependencies. We’ll also reference a comprehensive guide on generating SBOMs for Python packages using Docker and Django CMS.

Why SBOMs Matter

SBOMs provide a detailed inventory of all components in a software project, helping with:

  • Security: Identifying and fixing vulnerabilities.
  • Compliance: Meeting legal and regulatory standards.
  • Maintenance: Ensuring software stability.

See our article What is an SBOM for more details.

Step-by-Step Guide to Generating SBOMs

Using pipdeptree for Dependency Analysis

pipdeptree visualizes the dependency tree of installed Python packages, making it ideal for SBOM generation.

Installation

Install pipdeptree with pip:

$ pip install pipdeptree

Generate the Dependency Tree

Run this command to see the dependency tree and save it to a requirements.txt file:

$ pipdeptree --freeze > requirements.txt

This output includes all installed packages and their dependencies, providing the necessary data for a comprehensive SBOM.

Exploding the SBOM

To fully capture all dependencies, including transient ones, it’s essential to “explode” the SBOM. pipdeptree does this effectively by mapping out the entire dependency tree.

Converting pipdeptree Output to CycloneDX Format

Once you have the dependency tree from pipdeptree, you can convert it to a CycloneDX SBOM using the CycloneDX-Python tool.

Installation

Install CycloneDX-Python with pip:

$ pip install cyclonedx-bom

Conversion Process

First, generate the dependency tree and save it to a file using the previous pipdeptree command. Then, convert this requirements.txt file to a CycloneDX SBOM:

$ cyclonedx-py \
    --requirements requirements.txt \
    --output sbom.json

This process ensures all dependencies, including transient ones, are captured in the SBOM.

Best Practices for Managing Dependencies

Pinning all dependencies, ideally with hashes, enhances security and compliance, aligning with standards like the OpenSSF Scorecards.

Pinning Dependencies with Hashes

Specify versions and hashes in your requirements.txt:

package==version --hash=sha256:hash

This ensures you’re using verified dependency versions, reducing the risk of vulnerabilities.

Wrapping up

For a thorough walkthrough on generating SBOMs, check out our comprehensive guide. This resource covers generating SBOMs using Docker and Django CMS, with applicable insights for any Python project.

Generating SBOMs for Python packages, including all dependencies, is vital for security and compliance. Tools like pipdeptree and CycloneDX-Python make this process straightforward. By following best practices such as pinning dependencies with hashes, you can further secure your project.

Found an error or typo? File PR against this file.