Skip to main content

Lightweight SBOM CVE analysis tool

Project description

sbom-cve-check

sbom-cve-check is a lightweight, standalone and easy-to-use tool that parses Software Bill Of Materials (SBOM) files and using publicly available databases of security vulnerabilities (CVEs), provides a report detailing which software components are affected by known security vulnerabilities.

Key features provided by this tool:

  • Accepts an SBOM file as input: currently supports SPDXv2.2 and SPDXv3.
  • Supports multiple sources of vulnerability information: currently NVD and CVE List.
  • Can consume various annotation formats, like OpenVEX.
  • Generates exports in multiple formats, including SPDX v3.0.
  • Supports plugins to add additional features.
  • Filters affected CVEs based on compiled sources: if the source file affected by a CVE is not compiled in, this CVE is considered not applicable. Mostly useful to filter Linux kernel CVEs.
  • Has very few dependencies, is very lightweight and easy to set up and use.
  • Fully open-source, under GPLv2.

See the sbom-cve-check documentation for further details.

Motivation

This tool was started as a way of replacing the cve-check logic implemented in Yocto, which requires running a full build to perform a new CVE analysis. sbom-cve-check instead can run on the SBOM produced once by Yocto Project and can be used to regularly run the CVE analysis in less than a minute.

Getting started

Assuming you're using Yocto Project, 4 easy steps:

  1. Install the tool:
    pip install sbom-cve-check[extra]
    (You may want to do this in a Python virtual environment).

  2. Generate the SBOM with Yocto Project:
    SPDXv3.0 is generated by default since Yocto ProjectWalnascar (5.2).
    Add INHERIT += "vex" in your local.conf.

  3. Retrieve two artifacts from the Yocto Projectdeploy directory:
    ${IMAGE_NAME}.rootfs.spdx.json: The SPDX v3.0 SBOM file.
    ${IMAGE_NAME}.rootfs.json: File generated by the vex.bbclass.

  4. Run the CVE analysis:

     sbom-cve-check \
       --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \
       --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \
       --export-type yocto-cve-check-manifest --export-path out.json
    

Roadmap

  • Add support of Ubuntu CVE tracker repository.
  • Automatically detect if a patch was backported.
  • Add more export formats, like for example OpenVEX.
  • Add CycloneDX (CDX) SBOM support as input.
  • Allow to generate an SBOM (CDX or SPDX 3.0) as output even if the SBOM specified as input is in another format.

Compatibility with Yocto Project

The compatibility with the SBOM generated by Yocto Project is described in the Yocto Project SBOM section.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sbom_cve_check-1.3.2.tar.gz (190.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sbom_cve_check-1.3.2-py3-none-any.whl (172.4 kB view details)

Uploaded Python 3

File details

Details for the file sbom_cve_check-1.3.2.tar.gz.

File metadata

  • Download URL: sbom_cve_check-1.3.2.tar.gz
  • Upload date:
  • Size: 190.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sbom_cve_check-1.3.2.tar.gz
Algorithm Hash digest
SHA256 0a7f07a0c6ce45d40adc6d311ddc25c4466f59bafcbce149b6fb3663791a5d89
MD5 17aa5c6183c54a43f424b05dbf968c05
BLAKE2b-256 78a4e940e59473406ad5123678502b82ea9d526212c8db8e68f0cba7848c06a4

See more details on using hashes here.

Provenance

The following attestation bundles were made for sbom_cve_check-1.3.2.tar.gz:

Publisher: publish-release.yaml on bootlin/sbom-cve-check

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sbom_cve_check-1.3.2-py3-none-any.whl.

File metadata

  • Download URL: sbom_cve_check-1.3.2-py3-none-any.whl
  • Upload date:
  • Size: 172.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sbom_cve_check-1.3.2-py3-none-any.whl
Algorithm Hash digest
SHA256 9411d525dcc93703ab0d6c4fd449eadf7a05795bbe55cd14c29f3a726d460e5e
MD5 42765845761fa9435a82bdc7325a0f65
BLAKE2b-256 324e9bf247f44a3f6f5f3936a304f1d604a7db9bfd63a9c422a6889e1a1f32b6

See more details on using hashes here.

Provenance

The following attestation bundles were made for sbom_cve_check-1.3.2-py3-none-any.whl:

Publisher: publish-release.yaml on bootlin/sbom-cve-check

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page