feat: Support for uv.lock file from uv package manager #907
Description
Is your feature request related to a problem? Please describe.
The CycloneDX Python tool currently does not explicitly support the uv.lock file format used by the uv package manager.
While uv’s Python virtual environments are already supported (as mentioned in the documentation), there is no native support for reading the uv.lock file directly. This means users must still rely on indirect workarounds to generate an SBOM, which adds unnecessary complexity.
Describe the solution you'd like
I would like CycloneDX-Python to include native support for parsing and generating SBOMs directly from the uv.lock file. This would streamline the process and avoid relying on indirect methods or manually activating environments just to extract dependency metadata.
Describe alternatives you've considered
- Activating a uv-created virtual environment and using the current environment scan, which works but isn’t as robust or declarative as lockfile-based analysis.
Additional context
uv is gaining popularity as a modern, fast alternative to pip and poetry. Supporting its lockfile format would allow CycloneDX-Python to integrate more seamlessly with modern Python development workflows, and improve SBOM adoption among users of uv.
Contribution
- I am willing to provide an implementation
- I will wait until somebody else implements it