Skip to content

bootlin/sbom-cve-check

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

251 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.readthedocs.yaml
.readthedocs.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

sbom-cve-check

sbom-cve-check is a lightweight, standalone and easy-to-use tool that parses Software Bill Of Materials (SBOM) files and using publicly available databases of security vulnerabilities (CVEs), provides a report detailing which software components are affected by known security vulnerabilities.

Key features provided by this tool:

  • Accepts an SBOM file as input: currently supports SPDXv2.2 and SPDXv3
  • Supports multiple sources of vulnerability information: currently NVD and CVE List
  • Can consume various annotation formats, like OpenVEX.
  • Generates exports in multiple formats, including SPDX v3.0.
  • Supports plugins to add additional features.
  • Filters affected CVEs based on compiled sources: if the source file affected by a CVE is not compiled in, this CVE is considered not applicable. Mostly useful to filter Linux kernel CVEs
  • Has very few dependencies, is very lightweight and easy to set up and use
  • Fully open-source, under GPLv2

See the sbom-cve-check documentation for further details.

Motivation

This tool was started as a way of replacing the cve-check logic implemented in Yocto, which requires running a full build to perform a new CVE analysis. sbom-cve-check instead can run on the SBOM produced once by Yocto and can be used to regularly run the CVE analysis in less than a minute.

Getting started

Assuming you're using Yocto, 4 easy steps:

  1. Install the tool:
    pip install sbom-cve-check[extra]
    (You may want to do this in a Python virtual environment)

  2. Generate the SBOM with Yocto:
    SPDXv3.0 is generated by default since Yocto Walnascar (5.2)
    Add INHERIT += "vex" in your local.conf

  3. Retrieve two artifacts from the Yocto deploy directory:
    ${IMAGE_NAME}.rootfs.spdx.json: The SPDX v3.0 SBOM file.
    ${IMAGE_NAME}.rootfs.json: File generated by the vex.bbclass.

  4. Run the CVE analysis:

     sbom-cve-check \
   --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \
   --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \
   --export-type yocto-cve-check-manifest --export-path out.json

Roadmap

  • Add support of Ubuntu CVE tracker repository
  • Automatically detect if a patch was backported
  • Add more export formats, like for example OpenVEX.
  • Add CycloneDX (CDX) SBOM support as input.
  • Allow to generate an SBOM (CDX or SPDX 3.0) as output even if the SBOM specified as input is in another format.

Compatibility with Yocto

The compatibility with the SBOM generated by Yocto is described in the Yocto SBOM section.

About

Lightweight SBOM CVE analysis tool

sbom-cve-check.readthedocs.io/en/latest/

Topics

python cve sbom

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

sbom-cve-check v1.0.1 release Latest
Dec 1, 2025

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages