feat: Support for `uv.lock` file from uv package manager

[gueyemoo]

Is your feature request related to a problem? Please describe.

The CycloneDX Python tool currently does not explicitly support the uv.lock file format used by the uv package manager.

While uv’s Python virtual environments are already supported (as mentioned in the documentation), there is no native support for reading the uv.lock file directly. This means users must still rely on indirect workarounds to generate an SBOM, which adds unnecessary complexity.

Describe the solution you'd like

I would like CycloneDX-Python to include native support for parsing and generating SBOMs directly from the uv.lock file. This would streamline the process and avoid relying on indirect methods or manually activating environments just to extract dependency metadata.

Describe alternatives you've considered

• Activating a uv-created virtual environment and using the current environment scan, which works but isn’t as robust or declarative as lockfile-based analysis.

Additional context

uv is gaining popularity as a modern, fast alternative to pip and poetry. Supporting its lockfile format would allow CycloneDX-Python to integrate more seamlessly with modern Python development workflows, and improve SBOM adoption among users of uv.

Contribution

• I am willing to provide an implementation
• I will wait until somebody else implements it

[jkowalleck]

Activating a uv-created virtual environment and using the current environment scan, which works but isn’t as robust or declarative as lockfile-based analysis.

no need to activate a uv-created virtual environment. the tool should be able to perform needed action already.
see the docs https://cyclonedx-bom-tool.readthedocs.io/en/latest/usage.html#id8

cyclonedx-py environment "$(uv python find)"

[jkowalleck]

adding more lockfile parsers has no priority at the moment - we support a very sophisticated env analyzer which provides the most accurate results.

if anybody wants to add uv-lockfile capabilities, feel free to discuss, contribute, and organize yourselves in this ticket - and open a (draft) pullrequest 👍

[jkowalleck]

• FYI: Software Bill of Materials (SBOM) output astral-sh/uv#6012

[jkowalleck]

The CycloneDX team encourages native implementations in the past, lately we helped the community around pnpm (pnpm/pnpm#10592) to build first level support for SBOM.

---

nevertheless, uv is not stable yet. Therefore, I do not like the idea of adding premature support.

---

• see also: Feature request: Add native uv project support (pyproject.toml + uv.lock) via cyclonedx-py uv subcommand #1029