How can I get a list of all the checks that have matched?

[6mile]

My use case for cve-bin-tool is to provide a software composition analysis function, rather than going directly to finding vulnerabilities for packages found. ie., I want to scan a binary and get a list of components that cve-bin-tool found.
Is this possible now?

[anthonyharrison]

@6mile. Not yet but we are looking at adding the option of generating a SBOM (Software Bill of Materials) as a by-product of the analysis. However the latest updates to the tool already provides a summary of all of the the components with vulnerabilities and those components which don't have any identified vulnerabilities.

[6mile]

@anthonyharrison how do you get that list of components? I didn't see that in the help options.

[anthonyharrison]

@6mile The list of components which are scanned will appear as part of the console output (or pdf file if that option is selected).

The text in green in the following example shows the list of components with vulnerabilities followed by the list of components with no identified vulnerabilities.

If you want to feed the list of components into another tool, I would wait for the SBOM generation (which will be invoked by a command line option) to be released.

[terriko]

Oh, and I should add we only merged this code last week, so if you're using the 3.1 release you'll need to swap to using the version currently in github.

I'm hoping to get a 3.2 release out Really Soon Now but I've still got some open issues that need fixing before we get there. Grabbing the code in github right now and letting us know if it meets your needs would be very helpful!

[terriko]

Cleaning up some old issues: at this point display of all components found is default, so I think we can close this.