Metadata-Version: 2.4
Name: hatch-sbom
Version: 0.3.0
Summary: Hatchling build hook plugin for generating Software Bill of Materials (SBOM)
Project-URL: Source Code, https://github.com/Ichunjo/hatch-sbom
Project-URL: Bug Tracker, https://github.com/Ichunjo/hatch-sbom/issues
Author-email: Vardë <ichunjo.le.terrible@gmail.com>
Maintainer-email: Vardë <ichunjo.le.terrible@gmail.com>
License-Expression: MIT
License-File: LICENSE
Keywords: build-hook,cyclonedx,hatch,hatchling,sbom
Classifier: Development Status :: 5 - Production/Stable
Classifier: Framework :: Hatch
Classifier: Intended Audience :: Developers
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Topic :: Software Development :: Build Tools
Classifier: Typing :: Typed
Requires-Python: >=3.10
Requires-Dist: hatchling<2.0.0,>=1.28.0
Provides-Extra: cdx
Requires-Dist: cyclonedx-bom<8.0.0,>=7.3.0; extra == 'cdx'
Provides-Extra: pdm
Requires-Dist: pdm<3.0.0,>=2.26.8; extra == 'pdm'
Provides-Extra: uv
Requires-Dist: uv>=0.11.8; extra == 'uv'
Description-Content-Type: text/markdown

# hatch-sbom

[![PyPI - Version](https://img.shields.io/pypi/v/hatch-sbom.svg?cacheSeconds=300)](https://pypi.org/project/hatch-sbom)
[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/hatch-sbom.svg?cacheSeconds=300)](https://pypi.org/project/hatch-sbom)
[![Tests](https://github.com/Ichunjo/hatch-sbom/actions/workflows/ci-test.yml/badge.svg?cacheSeconds=300)](https://github.com/Ichunjo/hatch-sbom/actions/workflows/ci-test.yml)
[![Lint](https://github.com/Ichunjo/hatch-sbom/actions/workflows/ci-lint.yml/badge.svg?cacheSeconds=300)](https://github.com/Ichunjo/hatch-sbom/actions/workflows/ci-lint.yml)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

A Hatchling build hook plugin to automatically generate a Software Bill of Materials (SBOM) during wheel creation.

## Usage

To use this plugin, configure your `pyproject.toml` to require both `hatchling` (>=1.28.0) and `hatch-sbom` in your `build-system`.

For a `requirements.txt` SBOM:

```toml
[build-system]
requires = ["hatchling>=1.28.0", "hatch-sbom[cdx]"]
build-backend = "hatchling.build"
```

The base install is minimal. Install extras only for the backend used by your selected source:

- `requirements`, `poetry`, `pipenv`, and `environment` use `cyclonedx-py` and need `hatch-sbom[cdx]`.
- `uv` uses `uv export` directly and needs `hatch-sbom[uv]`.
- `pdm` uses both `pdm export` and `cyclonedx-py`, so it needs `hatch-sbom[pdm,cdx]`.

Next, configure the build hook specifically for the `wheel` target:

```toml
[tool.hatch.build.targets.wheel.hooks.sbom]
source = "requirements"
path = "requirements.txt"
format = "json"        # Optional, defaults to "json"
spec-version = "1.6"   # Optional, defaults to "1.6"
```

### Supported Sources

The `source` field determines how the SBOM is built.

| Source         | Requires              | Backend                                        | Path behavior                                                     |
| -------------- | --------------------- | ---------------------------------------------- | ----------------------------------------------------------------- |
| `requirements` | `hatch-sbom[cdx]`     | `cyclonedx-py requirements`                    | Optional; defaults to `requirements.txt` when present.            |
| `poetry`       | `hatch-sbom[cdx]`     | `cyclonedx-py poetry`                          | Optional; defaults to the current directory.                      |
| `pipenv`       | `hatch-sbom[cdx]`     | `cyclonedx-py pipenv`                          | Optional; defaults to the current directory.                      |
| `environment`  | `hatch-sbom[cdx]`     | `cyclonedx-py environment`                     | Optional; defaults to the current directory.                      |
| `uv`           | `hatch-sbom[uv]`      | `uv export`                                    | Optional; defaults to the current directory. Requires `uv.lock`.  |
| `pdm`          | `hatch-sbom[pdm,cdx]` | `pdm export`, then `cyclonedx-py requirements` | Optional; defaults to the current directory. Requires `pdm.lock`. |

The `uv` source only supports `json` format and CycloneDX `1.5`.

### Source-Specific Arguments

You can pass extra arguments to the underlying tool (e.g., `uv export`, `pdm export`, or `cyclonedx-py <source>`) by creating a nested table named after the source.

This is useful for passing flags like `--without`, `--no-dev`, etc.

For example, to omit the `dev` and `test` groups when using Poetry:

```toml
[tool.hatch.build.targets.wheel.hooks.sbom.poetry]
without = ["dev", "test"]  # Appends `--without dev --without test`
```

To include all extras when using uv:

```toml
[tool.hatch.build.targets.wheel.hooks.sbom.uv]
all-extras = true  # Appends `--all-extras`
```

You can use the `extra-args` key to pass an arbitrary list of raw arguments:

```toml
[tool.hatch.build.targets.wheel.hooks.sbom.pipenv]
extra-args = ["--mc-type", "firmware"]
```

The generated SBOM file (e.g., `sbom.cdx.json`) will be automatically placed in the `.dist-info/sboms/` directory of the resulting wheel.
