add support for sbom file from build data (#2109)

vmeurisse · cjames23 · web-flow · commit 843f91680cc9 · 2025-11-27T15:27:01.000-08:00
Initial implementation of PEP 770 (8695db4) documented it but implemented only sbom-files from configuration. ref #2047 Co-authored-by: Cary Hawkins <hawkinscary23@gmail.com>
diff --git a/backend/src/hatchling/builders/wheel.py b/backend/src/hatchling/builders/wheel.py
@@ -684,8 +684,9 @@ def add_shared_scripts(self, archive: WheelArchive, records: RecordFile, build_d
             record = archive.write_shared_script(shared_script, content.getvalue())
             records.write(record)
 
-    def add_sboms(self, archive: WheelArchive, records: RecordFile) -> None:
+    def add_sboms(self, archive: WheelArchive, records: RecordFile, build_data: dict[str, Any]) -> None:
         sbom_files = self.config.sbom_files
+        sbom_files.extend(build_data["sbom_files"])
         if not sbom_files:
             return
 
@@ -724,7 +725,7 @@ def write_metadata(
         self.add_licenses(archive, records)
 
         # sboms/
-        self.add_sboms(archive, records)
+        self.add_sboms(archive, records, build_data)
 
         # extra_metadata/ - write last
         self.add_extra_metadata(archive, records, build_data)
@@ -849,6 +850,7 @@ def get_default_build_data(self) -> dict[str, Any]:  # noqa: PLR6301
             "extra_metadata": {},
             "shared_data": {},
             "shared_scripts": {},
+            "sbom_files": [],
         }
 
     def get_forced_inclusion_map(self, build_data: dict[str, Any]) -> dict[str, str]:
diff --git a/tests/backend/builders/test_wheel.py b/tests/backend/builders/test_wheel.py
@@ -3922,3 +3922,71 @@ def test_sbom_file_invalid_item(self, isolation):
             TypeError, match="SBOM file #1 in field `tool.hatch.build.targets.wheel.sbom-files` must be a string"
         ):
             _ = builder.config.sbom_files
+
+    def test_sbom_from_build_data(self, hatch, helpers, temp_dir, config_file):
+        config_file.model.template.plugins["default"]["tests"] = False
+        config_file.save()
+
+        with temp_dir.as_cwd():
+            result = hatch("new", "My.App")
+
+        assert result.exit_code == 0, result.output
+
+        project_path = temp_dir / "my-app"
+        (project_path / "sbom1.cyclonedx.json").write_text('{"bomFormat": "CycloneDX"}')
+        (project_path / "sbom2.spdx.json").write_text('{"spdxVersion": "SPDX-2.3"}')
+
+        build_script = project_path / DEFAULT_BUILD_SCRIPT
+        build_script.write_text(
+            helpers.dedent(
+                """
+                import pathlib
+
+                from hatchling.builders.hooks.plugin.interface import BuildHookInterface
+
+                class CustomHook(BuildHookInterface):
+                    def initialize(self, version, build_data):
+                        build_data["sbom_files"].append("sbom2.spdx.json")
+                """
+            )
+        )
+
+        config = {
+            "project": {"name": "My.App", "dynamic": ["version"]},
+            "tool": {
+                "hatch": {
+                    "version": {"path": "src/my_app/__about__.py"},
+                    "build": {
+                        "targets": {"wheel": {"sbom-files": ["sbom1.cyclonedx.json"]}},
+                        "hooks": {"custom": {"path": DEFAULT_BUILD_SCRIPT}},
+                    },
+                }
+            },
+        }
+        builder = WheelBuilder(str(project_path), config=config)
+
+        build_path = project_path / "dist"
+        build_path.mkdir()
+
+        with project_path.as_cwd():
+            artifacts = list(builder.build(directory=str(build_path)))
+
+        assert len(artifacts) == 1
+
+        extraction_directory = temp_dir / "_archive"
+        extraction_directory.mkdir()
+
+        with zipfile.ZipFile(str(artifacts[0]), "r") as zip_archive:
+            zip_archive.extractall(str(extraction_directory))
+
+        metadata_directory = f"{builder.project_id}.dist-info"
+        expected_files = helpers.get_template_files(
+            "wheel.standard_default_sbom",
+            "My.App",
+            metadata_directory=metadata_directory,
+            sbom_files=[
+                ("sbom1.cyclonedx.json", '{"bomFormat": "CycloneDX"}'),
+                ("sbom2.spdx.json", '{"spdxVersion": "SPDX-2.3"}'),
+            ],
+        )
+        helpers.assert_files(extraction_directory, expected_files)
