CycloneDX · m7mdhka · Mar 22, 2026 · Mar 22, 2026 · Mar 22, 2026 · Mar 22, 2026
@@ -24,8 +24,7 @@ Supported data sources are:
 * Pip's `requirements.txt` format
 * `PDM` manifest and lockfile are not explicitly supported.  
   However, PDM's Python virtual environments are fully supported. See the docs for an example.
-* `uv` manifest and lockfile are not explicitly supported.  
-  However, uv's Python virtual environments are fully supported. See the docs for an example.
+* `uv` manifest and lockfile
 * `Conda` as a package manager is no longer supported since version 4.  
   However, conda's Python environments are fully supported via the methods listed above. See the docs for an example.
 
@@ -86,6 +85,7 @@ positional arguments:
     requirements        Build an SBOM from Pip requirements
     pipenv              Build an SBOM from Pipenv manifest
     poetry              Build an SBOM from Poetry project
+    uv                  Build an SBOM from uv project
 
 options:
   -h, --help            show this help message and exit

@@ -34,6 +34,7 @@
 from .poetry import PoetryBB
 from .requirements import RequirementsBB
 from .utils.args import argparse_type4enum, choices4enum
+from .uv import UvBB
 
 if TYPE_CHECKING:  # pragma: no cover
     from cyclonedx.model.bom import Bom
@@ -115,6 +116,7 @@ def make_argument_parser(cls, sco: ArgumentParser, **kwargs: Any) -> ArgumentPar
             (RequirementsBB, 'requirements'),
             (PipenvBB, 'pipenv'),
             (PoetryBB, 'poetry'),
+            (UvBB, 'uv'),
         ):
             spp = scbbc.make_argument_parser(add_help=False)
             sp.add_parser(sct, aliases=scta,

@@ -348,6 +348,84 @@ The full documentation can be issued by running with ``poetry --help``:
                             (default: silent)
 
 
+For uv
+------
+
+**subcommand:** ``uv``
+
+Support for `uv`_ dependency management and package manifest.
+This requires parsing your ``pyproject.toml`` and ``uv.lock`` file which details exact pinned versions of
+dependencies.
+By default, dependencies from uv's default dependency groups (e.g. ``dev``) are included;
+use ``--no-dev`` or ``--no-default-groups`` to exclude them.
+
+.. _uv: https://docs.astral.sh/uv/
+
+The full documentation can be issued by running with ``uv --help``:
+
+.. code-block:: shell-session
+
+    $ cyclonedx-py uv --help
+    usage: cyclonedx-py uv [-h] [--group <group>] [--no-group <group>]
+                           [--only-group <group> | --only-dev] [--all-groups]
+                           [--no-default-groups] [--no-dev]
+                           [-E <extras> | --all-extras] [--mc-type <type>]
+                           [--short-PURLs] [--sv <version>]
+                           [--output-reproducible] [--of <format>] [-o <file>]
+                           [--validate | --no-validate] [-v]
+                           [<project-directory>]
+
+    Build an SBOM from uv project.
+
+    This requires parsing your `pyproject.toml` and `uv.lock` file which details exact pinned versions of
+    dependencies.
+
+    positional arguments:
+      <project-directory>   The project directory for uv (containing
+                            `pyproject.toml` and `uv.lock`), or a path to
+                            `uv.lock` (default: current working directory)
+
+    options:
+      -h, --help            show this help message and exit
+      --group <group>       Include dependencies from the specified dependency
+                            group (multiple values allowed)
+      --no-group <group>    Exclude dependencies from the specified dependency
+                            group (multiple values allowed)
+      --only-group <group>  Only include dependencies from the specified
+                            dependency group (multiple values allowed)
+      --only-dev            Alias for: --only-group dev
+      --all-groups          Include all dependency groups (default: False)
+      --no-default-groups   Ignore the default dependency groups (default: False)
+      --no-dev              Alias for: --no-group dev
+      -E, --extras <extras>
+                            Extra sets of dependencies to include (multiple values
+                            allowed)
+      --all-extras          Include all extra dependencies (default: False)
+      --mc-type <type>      Type of the main component. {choices: application,
+                            firmware, library} (default: application)
+      --short-PURLs         Omit all qualifiers from PackageURLs. This causes
+                            information loss in trade-off shorter PURLs, which
+                            might improve ingesting these strings.
+      --sv, --spec-version <version>
+                            Which version of CycloneDX to use. {choices: 1.7, 1.6,
+                            1.5, 1.4, 1.3, 1.2, 1.1, 1.0} (default: 1.6)
+      --output-reproducible
+                            Whether to go the extra mile and make the output
+                            reproducible. This might result in loss of time- and
+                            random-based values.
+      --of, --output-format <format>
+                            Which output format to use. {choices: JSON, XML}
+                            (default: JSON)
+      -o, --output-file <file>
+                            Path to the output file. (set to "-" to output to
+                            <stdout>) (default: -)
+      --validate, --no-validate
+                            Whether to validate resulting BOM before outputting.
+                            (default: True)
+      -v, --verbose         Increase the verbosity of messages (multiple for more
+                            effect) (default: silent)
+
+
 For Pip requirements
 --------------------
 
@@ -478,22 +556,6 @@ it is possible to use the functionality for Python (virtual) environments as des
 
 
 
-For uv
--------
-
-Support for `uv`_ manifest and lockfile is not explicitly implemented, yet.
-
-However, since uv utilizes Python virtual environments under the hood,
-it is possible to use the functionality for Python (virtual) environments as described above.
-
-.. _uv: https://docs.astral.sh/uv/
-
-
-
-*****
-
-
-
 For Conda
 ---------
 

@@ -36,7 +36,7 @@ exclude = [
 keywords = [
   "OWASP", "CycloneDX",
   "bill-of-materials", "BOM", "software-bill-of-materials", "SBOM",
-  "environment", "virtualenv", "venv", "Poetry", "Pipenv", "requirements", "PDM", "Conda",
+  "environment", "virtualenv", "venv", "Poetry", "Pipenv", "uv", "requirements", "PDM", "Conda",
   "SPDX", "licenses", "PURL", "package-url", "dependency-graph",
 ]
 classifiers = [

@@ -0,0 +1,46 @@
+[project]
+# https://packaging.python.org/en/latest/specifications/declaring-project-metadata/#declaring-project-metadata
+name = "via-uv"
+version = "0.1.0"
+description = "environment via uv"
+license = { text = "Apache-2.0 OR MIT" }
+readme = "README.md"
+requires-python = ">=3.8"
+
+#  dynamic = [] # TODO
+
+authors = ["Your Name <you@example.com>", "My Name"]
+maintainers = [
+  "John Smith <johnsmith@example.org>",
+  "Jane Smith <janesmith@example.org>",
+]
+
+keywords = ["packaging", "pipenv", "test"]
+classifiers = [
+  "License :: OSI Approved :: Apache Software License",
+  "License :: OSI Approved :: MIT License",
+  "Classifier: Development Status :: 4 - Beta",
+  "Intended Audience :: Developers"
+]
+
+dependencies = [
+  'toml'
+]
+optional-dependencies = { 'foo' = ['ddt'] }
+
+# entry-point = {} # TODO
+
+# gui-scripts = {} # TODO
+# scripts = {} # TODO
+
+[project.urls]
+homepage = "https://oss.acme.org/my-project/"
+repository = "https://oss.acme.org/my-project.git"
+documentation = "https://oss.acme.org/my-project/docs/"
+"Bug Tracker" = "https://oss.acme.org/my-project/bugs/"
+"Funding" = "https://oss.acme.org/my-project/funding/"
+"Change log" = "https://oss.acme.org/my-project/changelog/"
+
+
+[tool.uv]
+# https://docs.astral.sh/uv/reference/settings/