CycloneDX/cyclonedx-python

cyclonedx-python is a pillar of the OWASP CycloneDX ecosystem. Its defensibility doesn't come from a complex proprietary algorithm but from its status as an official implementation of a global security standard. With 370 stars and nearly 100 forks over 7+ years, it has high 'boring technology' gravity—it is embedded in countless CI/CD pipelines. Frontier labs like OpenAI have zero incentive to build specialized SBOM generators. The primary risk comes from platform providers like GitHub or GitLab, which are increasingly building native SBOM generation into their dependency graphs; however, these platforms often use or contribute back to these open-source standards rather than replacing them. The project's deep support for the nuances of Python's fragmented packaging ecosystem (Poetry, Pipenv, requirements.txt, Conda) provides a functional moat against generic scanners that lack language-specific depth. As regulatory requirements for SBOMs increase (e.g., US Executive Order 14028), this project moves from 'nice-to-have' to 'mandatory infrastructure'.