https://github.com/bootlin/sbom-cve-check

Lightweight SBOM CVE analysis tool
https://github.com/bootlin/sbom-cve-check

cve python sbom

Last synced: 3 months ago
JSON representation

Lightweight SBOM CVE analysis tool

• Host: GitHub
• URL: https://github.com/bootlin/sbom-cve-check
• Owner: bootlin
• License: gpl-2.0
• Created: 2025-11-21T10:21:02.000Z (7 months ago)
• Default Branch: main
• Last Pushed: 2026-03-25T08:16:55.000Z (3 months ago)
• Last Synced: 2026-03-26T12:17:26.456Z (3 months ago)
• Topics: cve, python, sbom
• Language: Python
• Homepage: https://sbom-cve-check.readthedocs.io/en/latest/
• Size: 600 KB
• Stars: 30
• Watchers: 4
• Forks: 9
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# sbom-cve-check

`sbom-cve-check` is a lightweight, standalone and easy-to-use tool

that parses Software Bill Of Materials (SBOM) files and using publicly

available databases of security vulnerabilities (CVEs), provides a

report detailing which software components are affected by known

security vulnerabilities.

Key features provided by this tool:

- Accepts an SBOM file as input: currently supports SPDXv2.2 and SPDXv3.

- Supports multiple sources of vulnerability information: currently

  [NVD](https://github.com/fkie-cad/nvd-json-data-feeds) and [CVE List](

  https://github.com/CVEProject/cvelistV5).

- Can consume various annotation formats, like OpenVEX.

- Generates exports in multiple formats, including SPDX v3.0.

- Supports plugins to add additional features.

- Filters affected CVEs based on compiled sources: if the source file

  affected by a CVE is not compiled in, this CVE is considered not

  applicable. Mostly useful to filter Linux kernel CVEs.

- Has very few dependencies, is very lightweight and easy to set up and use.

- Fully open-source, under GPLv2.

See the [sbom-cve-check documentation](

https://sbom-cve-check.readthedocs.io/en/latest/index.html) for further details.

## Motivation

This tool was started as a way of replacing the *cve-check* logic

implemented in Yocto, which requires running a full build to perform a

new CVE analysis. `sbom-cve-check` instead can run on the SBOM

produced once by Yocto Project and can be used to regularly run the CVE

analysis in less than a minute.

## Getting started

Assuming you're using Yocto Project, 4 easy steps:

1. **Install** the tool:


   `pip install sbom-cve-check[extra]`


   (You may want to do this in a Python virtual environment).

2. **Generate** the SBOM with Yocto Project:


   SPDXv3.0 is generated by default since Yocto ProjectWalnascar (5.2).


   Add `INHERIT += "vex"` in your `local.conf`.

3. **Retrieve** two artifacts from the Yocto Project`deploy` directory:


   `${IMAGE_NAME}.rootfs.spdx.json`: The SPDX v3.0 SBOM file.


   `${IMAGE_NAME}.rootfs.json`: File generated by the vex.bbclass.

4. **Run** the CVE analysis:


   ```

    sbom-cve-check \

      --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \

      --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \

      --export-type yocto-cve-check-manifest --export-path out.json

   ```

## Roadmap

- Add support of Ubuntu CVE tracker repository.

- Automatically detect if a patch was backported.

- Add more export formats, like for example OpenVEX.

- Add CycloneDX (CDX) SBOM support as input.

- Allow to generate an SBOM (CDX or SPDX 3.0) as output even if the

  SBOM specified as input is in another format.

## Compatibility with Yocto Project

The compatibility with the SBOM generated by Yocto Project is described in the

[Yocto Project SBOM](

https://sbom-cve-check.readthedocs.io/en/latest/sbom.html#yocto-project-sbom) section.