{"id":48503959,"url":"https://github.com/bootlin/sbom-cve-check","last_synced_at":"2026-04-07T15:37:10.227Z","repository":{"id":327557372,"uuid":"1101191482","full_name":"bootlin/sbom-cve-check","owner":"bootlin","description":"Lightweight SBOM CVE analysis tool","archived":false,"fork":false,"pushed_at":"2026-03-25T08:16:55.000Z","size":614,"stargazers_count":30,"open_issues_count":0,"forks_count":9,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-03-26T12:17:26.456Z","etag":null,"topics":["cve","python","sbom"],"latest_commit_sha":null,"homepage":"https://sbom-cve-check.readthedocs.io/en/latest/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bootlin.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-21T10:21:02.000Z","updated_at":"2026-03-25T08:16:59.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bootlin/sbom-cve-check","commit_stats":null,"previous_names":["bootlin/sbom-cve-check"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/bootlin/sbom-cve-check","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fsbom-cve-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fsbom-cve-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fsbom-cve-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fsbom-cve-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bootlin","download_url":"https://codeload.github.com/bootlin/sbom-cve-check/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fsbom-cve-check/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31518632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T03:10:19.677Z","status":"ssl_error","status_checked_at":"2026-04-07T03:10:13.982Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","python","sbom"],"created_at":"2026-04-07T15:37:09.742Z","updated_at":"2026-04-07T15:37:10.217Z","avatar_url":"https://github.com/bootlin.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sbom-cve-check\n\n`sbom-cve-check` is a lightweight, standalone and easy-to-use tool\nthat parses Software Bill Of Materials (SBOM) files and using publicly\navailable databases of security vulnerabilities (CVEs), provides a\nreport detailing which software components are affected by known\nsecurity vulnerabilities.\n\nKey features provided by this tool:\n\n- Accepts an SBOM file as input: currently supports SPDXv2.2 and SPDXv3.\n- Supports multiple sources of vulnerability information: currently\n  [NVD](https://github.com/fkie-cad/nvd-json-data-feeds) and [CVE List](\n  https://github.com/CVEProject/cvelistV5).\n- Can consume various annotation formats, like OpenVEX.\n- Generates exports in multiple formats, including SPDX v3.0.\n- Supports plugins to add additional features.\n- Filters affected CVEs based on compiled sources: if the source file\n  affected by a CVE is not compiled in, this CVE is considered not\n  applicable. Mostly useful to filter Linux kernel CVEs.\n- Has very few dependencies, is very lightweight and easy to set up and use.\n- Fully open-source, under GPLv2.\n\nSee the [sbom-cve-check documentation](\nhttps://sbom-cve-check.readthedocs.io/en/latest/index.html) for further details.\n\n## Motivation\n\nThis tool was started as a way of replacing the *cve-check* logic\nimplemented in Yocto, which requires running a full build to perform a\nnew CVE analysis. `sbom-cve-check` instead can run on the SBOM\nproduced once by Yocto Project and can be used to regularly run the CVE\nanalysis in less than a minute.\n\n## Getting started\n\nAssuming you're using Yocto Project, 4 easy steps:\n\n1. **Install** the tool:\u003cbr\u003e\n   `pip install sbom-cve-check[extra]`\u003cbr\u003e\n   (You may want to do this in a Python virtual environment).\n\n2. **Generate** the SBOM with Yocto Project:\u003cbr\u003e\n   SPDXv3.0 is generated by default since Yocto ProjectWalnascar (5.2).\u003cbr\u003e\n   Add `INHERIT += \"vex\"` in your `local.conf`.\n\n3. **Retrieve** two artifacts from the Yocto Project`deploy` directory:\u003cbr\u003e\n   `${IMAGE_NAME}.rootfs.spdx.json`: The SPDX v3.0 SBOM file.\u003cbr\u003e\n   `${IMAGE_NAME}.rootfs.json`: File generated by the vex.bbclass.\n\n4. **Run** the CVE analysis:\u003cbr\u003e\n   ```\n    sbom-cve-check \\\n      --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \\\n      --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \\\n      --export-type yocto-cve-check-manifest --export-path out.json\n   ```\n\n## Roadmap\n\n- Add support of Ubuntu CVE tracker repository.\n- Automatically detect if a patch was backported.\n- Add more export formats, like for example OpenVEX.\n- Add CycloneDX (CDX) SBOM support as input.\n- Allow to generate an SBOM (CDX or SPDX 3.0) as output even if the\n  SBOM specified as input is in another format.\n\n## Compatibility with Yocto Project\n\nThe compatibility with the SBOM generated by Yocto Project is described in the\n[Yocto Project SBOM](\nhttps://sbom-cve-check.readthedocs.io/en/latest/sbom.html#yocto-project-sbom) section.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbootlin%2Fsbom-cve-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbootlin%2Fsbom-cve-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbootlin%2Fsbom-cve-check/lists"}