Add unified tags mapping across environment builders

rn23thakur · rn23thakur · commit ea4cf7de98d9 · 2025-11-04T19:39:31.000+05:30
Implement consistent support for CycloneDX component 'tags' field (https://cyclonedx.org/docs/1.6/json/#components_items_tags) by mapping Python packaging metadata 'keywords' across build backends. - EnvironmentBB: parse 'Keywords' from package metadata - PipenvBB: normalize 'keywords' field from Pipfile.lock entries - PoetryBB: handle 'keywords' from pyproject and lock data - Introduce shared _to_tags() helper for safe normalization This ensures all SBOM builders populate CycloneDX tags consistently, aligning with PEP 621 and other Python packaging metadata standards. Signed-off-by: Aryan Thakur <rn23thakur@gmail.com> Signed-off-by: aryan thakur <aryan.thakur@nurix.ai> Signed-off-by: rn23thakur <rn23thakur@gmail.com>
diff --git a/cyclonedx_py/_internal/environment.py b/cyclonedx_py/_internal/environment.py
@@ -16,6 +16,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 
+import re
 from argparse import OPTIONAL, ArgumentParser
 from collections.abc import Iterable
 from importlib.metadata import distributions
@@ -41,6 +42,19 @@
 from .utils.pep639 import dist2licenses_from_files as pep639_dist2licenses_from_files
 from .utils.pyproject import pyproject2component, pyproject2dependencies, pyproject_load
 
+_TAG_SPLIT = re.compile(r'[;,]\s*|\s+')
+
+
+def _to_tags(raw):
+    if raw is None:
+        return []
+    if isinstance(raw, str):
+        return [t for t in (s.strip() for s in _TAG_SPLIT.split(raw)) if t]
+    if isinstance(raw, (list, tuple, set)):
+        return [t for t in (str(s).strip() for s in raw) if t]
+    return []
+
+
 if TYPE_CHECKING:  # pragma: no cover
     from logging import Logger
 
@@ -185,6 +199,10 @@ def __add_components(self, bom: 'Bom',
                 # path of dist-package on disc? naaa... a package may have multiple files/folders on disc
             )
 
+            raw = dist.metadata.get('Keywords')
+            if hasattr(component, "tags"):
+                component.tags = _to_tags(raw)
+
             # region licenses
             component.licenses.update(metadata2licenses(dist_meta, LicenseFactory(),
                                                         gather_texts=self._gather_license_texts))
diff --git a/cyclonedx_py/_internal/pipenv.py b/cyclonedx_py/_internal/pipenv.py
@@ -16,6 +16,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 
+import re
 from argparse import OPTIONAL, ArgumentParser
 from collections.abc import Generator
 from json import loads as json_loads
@@ -37,6 +38,19 @@
 from .utils.pyproject import pyproject_file2component
 from .utils.secret import redact_auth_from_url
 
+_TAG_SPLIT = re.compile(r'[;,]\s*|\s+')
+
+
+def _to_tags(raw):
+    if raw is None:
+        return []
+    if isinstance(raw, str):
+        return [t for t in (s.strip() for s in _TAG_SPLIT.split(raw)) if t]
+    if isinstance(raw, (list, tuple, set)):
+        return [t for t in (str(s).strip() for s in raw) if t]
+    return []
+
+
 if TYPE_CHECKING:  # pragma: no cover
     from logging import Logger
 
@@ -175,6 +189,10 @@ def _make_bom(self, root_c: Optional['Component'],
                         version=package_data['version'][2:] if 'version' in package_data else None,
                         external_references=self.__make_extrefs(package_name, package_data, source_urls),
                     )
+                    raw_keywords = package_data.get('keywords')
+                    if hasattr(component, "tags"):
+                        component.tags = _to_tags(raw_keywords)
+
                     component.purl = PackageURL(
                         type=PurlTypePypi,
                         name=component.name,
diff --git a/cyclonedx_py/_internal/poetry.py b/cyclonedx_py/_internal/poetry.py
@@ -16,6 +16,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 
+import re
 from argparse import OPTIONAL, ArgumentParser
 from collections.abc import Generator, Iterable
 from dataclasses import dataclass
@@ -39,6 +40,19 @@
 from .utils.secret import redact_auth_from_url
 from .utils.toml import toml_loads
 
+_TAG_SPLIT = re.compile(r'[;,]\s*|\s+')
+
+
+def _to_tags(raw):
+    if raw is None:
+        return []
+    if isinstance(raw, str):
+        return [t for t in (s.strip() for s in _TAG_SPLIT.split(raw)) if t]
+    if isinstance(raw, (list, tuple, set)):
+        return [t for t in (str(s).strip() for s in raw) if t]
+    return []
+
+
 if TYPE_CHECKING:  # pragma: no cover
     from logging import Logger
 
@@ -404,7 +418,7 @@ def __make_component4lock(self, package: 'T_NameDict') -> 'Component':
         is_vcs = source.get('type') in self.__PACKAGE_SRC_VCS
         is_local = source.get('type') in self.__PACKAGE_SRC_LOCAL
 
-        return Component(
+        component = Component(
             bom_ref=f'{package["name"]}@{package["version"]}',
             name=package['name'],
             version=package.get('version'),
@@ -433,6 +447,12 @@ def __make_component4lock(self, package: 'T_NameDict') -> 'Component':
             ) if not is_local else None
         )
 
+        raw_keywords = package.get('keywords')
+        if hasattr(component, "tags"):
+            component.tags = _to_tags(raw_keywords)
+
+        return component
+
     def __purl_qualifiers4lock(self, package: 'T_NameDict') -> 'T_NameDict':
         # see https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst
         qs = {}
