Lightweight SBOM CVE analysis tool
Project description
sbom-cve-check
sbom-cve-check is a lightweight, standalone and easy-to-use tool
that parses Software Bill Of Materials (SBOM) files and using publicly
available databases of security vulnerabilities (CVEs), provides a
report detailing which software components are affected by known
security vulnerabilities.
Key features provided by this tool:
- Accepts an SBOM file as input: currently supports SPDXv2.2 and SPDXv3
- Supports multiple sources of vulnerability information: currently NVD and CVE List
- Can consume various annotation formats, like OpenVEX.
- Generates exports in multiple formats, including SPDX v3.0.
- Supports plugins to add additional features.
- Filters affected CVEs based on compiled sources: if the source file affected by a CVE is not compiled in, this CVE is considered not applicable. Mostly useful to filter Linux kernel CVEs
- Has very few dependencies, is very lightweight and easy to set up and use
- Fully open-source, under GPLv2
See the sbom-cve-check documentation for further details.
Motivation
This tool was started as a way of replacing the cve-check logic
implemented in Yocto, which requires running a full build to perform a
new CVE analysis. sbom-cve-check instead can run on the SBOM
produced once by Yocto and can be used to regularly run the CVE
analysis in less than a minute.
Getting started
Assuming you're using Yocto, 4 easy steps:
-
Install the tool:
pip install sbom-cve-check[extra]
(You may want to do this in a Python virtual environment) -
Generate the SBOM with Yocto:
SPDXv3.0 is generated by default since Yocto Walnascar (5.2)
AddINHERIT += "vex"in yourlocal.conf -
Retrieve two artifacts from the Yocto
deploydirectory:
${IMAGE_NAME}.rootfs.spdx.json: The SPDX v3.0 SBOM file.
${IMAGE_NAME}.rootfs.json: File generated by the vex.bbclass. -
Run the CVE analysis:
sbom-cve-check \ --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \ --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \ --export-type yocto-cve-check-manifest --export-path out.json
Roadmap
- Add support of Ubuntu CVE tracker repository
- Automatically detect if a patch was backported
- Add more export formats, like for example OpenVEX.
- Add CycloneDX (CDX) SBOM support as input.
- Allow to generate an SBOM (CDX or SPDX 3.0) as output even if the SBOM specified as input is in another format.
Compatibility with Yocto
The compatibility with the SBOM generated by Yocto is described in the Yocto SBOM section.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sbom_cve_check-1.0.1.tar.gz.
File metadata
- Download URL: sbom_cve_check-1.0.1.tar.gz
- Upload date:
- Size: 322.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4e2de57acc9d5fb188bec2368e49de0f23da658d2d2b547b6e8d7835ff64b95c
|
|
| MD5 |
c02d92c949e3bd9b0aee6441cb22417c
|
|
| BLAKE2b-256 |
debc8e63a843fd0bb18ff9851c912b2f2b88b1d4f02e7b5efacfed700a287084
|
File details
Details for the file sbom_cve_check-1.0.1-py3-none-any.whl.
File metadata
- Download URL: sbom_cve_check-1.0.1-py3-none-any.whl
- Upload date:
- Size: 83.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
17ca5dfb047eb5902b0efe9ce58863efc3955f9bf2e0db8df70ec67e72dc9ac0
|
|
| MD5 |
4bccd34673cbd49a14ad96b69746e929
|
|
| BLAKE2b-256 |
bfd66e16d33fc47e8583502f48b9c6948331e0b25020c09298e9b285d944e410
|
