Software Bill of Material (SBOM) vulnerability scanner
Project description
SBOMSCAN
The SBOMSCAN is a free, open source tool to scan a SBOM (Software Bill of Materials) in either SPDX and CycloneDX format for reported vulnerabilities. It identifies vulnerabilities with any compoonent in the SBOM which has a valid PURL identifier.
The application uses the (Vulnerablecode database)[https://public.vulnerablecode.io/].
Installation
To install use the following command:
pip install sbomscan
Alternatively, just clone the repo and install dependencies using the following command:
pip install -U -r requirements.txt
The tool requires Python 3 (3.10+). It is recommended to use a virtual python environment especially
if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
Usage
usage: sbomscan [-h] [-i INPUT_FILE] [--url URL] [-d] [--format {text,json,markdown}] [-o OUTPUT_FILE] [-V]
SBOMscan scans a Software Bill of Materials for vulnerabilities
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-i INPUT_FILE, --input-file INPUT_FILE
filename of SBOM
--url URL endpoint for vulnerability database
Output:
-d, --debug add debug information
--format {text,json,markdown}
specify format of vulnerability report (default: text)
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output filename (default: output to stdout)
Operation
The --input-file option is used to identify the SBOM to be scanned for vulnerabilities. Both SPDX and CycloneDX SBOMs are supported.
The --url option is used to identify the endppoint of the vulnerability database. If this option is not specified, a public instance of the database is used. This requires an API key which can be obtained from here. The API key must be stored in a environment variable called VULNCODE.
The --format option is used to specify the format of the output. Currently JSON and Markdown are supported.
The --output-file option is used to control the destination of the output generated by the tool. The default is to report to the console but can be stored in a file (specified using --output-file option) if the --format option is used.
Example output
╭───────────────────╮
│ SBOM Scan Summary │
╰───────────────────╯
┏━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Item ┃ Details ┃
┡━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Scan Date │ 2026-05-29T19:20:35Z │
│ SBOM File │ xxxxxxxxx │
│ SBOM Type │ cyclonedx │
│ Number of Packages │ 1532 │
│ Number of PURLs │ 1529 │
└────────────────────┴────────────────────────────────────────────────────────────────────────┘
╭─────────────────╮
│ Vulnerabilities │
╰─────────────────╯
┏━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┓
┃ Package ┃ Version ┃ Vulnerability ┃ Source ┃ CVSS Score ┃ Severity ┃ EPSS Probability ┃ EPSS Percentile ┃
┡━━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━┩
│ ansi-regex │ 4.1.1 │ CVE-2021-3807 │ NVD │ 7.5 (v3.1) │ HIGH │ 0.00397 │ 0.74348 │
│ axios │ 1.11.0 │ GHSA-43fc-jf86-j433 │ GITHUB │ 7.5 (v3.1) │ HIGH │ 0.00067 │ 0.20669 │
│ fast-xml-parser │ 4.4.1 │ CVE-2026-27942 │ NVD │ 2.7 (v4) │ LOW │ 0.00056 │ 0.17594 │
└──────────────────┴─────────┴──────────────────────────────────────────┴────────┴────────────┴──────────┴──────────────────┴─────────────────┘
Example JSON format
The following is an extract for
{
"sbom_scan_summary": [
{
"item": "Scan Date",
"details": "2026-05-29T18:32:55Z"
},
{
"item": "SBOM File",
"details": "xxxxxx"
},
{
"item": "SBOM Type",
"details": "cyclonedx"
},
{
"item": "Number of Packages",
"details": "1532"
},
{
"item": "Number of PURLs",
"details": "1529"
}
],
"vulnerabilities": [
{
"package": "ansi-regex",
"version": "4.1.1",
"vulnerability": "CVE-2021-3807",
"source": "NVD",
"cvss_score": "7.5 (v3.1)",
"severity": "HIGH",
"epss_probability": "0.00397",
"epss_percentile": "0.74348"
},
{
"package": "axios",
"version": "1.11.0",
"vulnerability": "GHSA-43fc-jf86-j433",
"source": "GITHUB",
"cvss_score": "7.5 (v3.1)",
"severity": "HIGH",
"epss_probability": "0.00067",
"epss_percentile": "0.20669"
},
{
"package": "fast-xml-parser",
"version": "4.4.1",
"vulnerability": "CVE-2026-27942",
"source": "NVD",
"cvss_score": "2.7 (v4)",
"severity": "LOW",
"epss_probability": "0.00056",
"epss_percentile": "0.17594"
},
....
Example Markdown format
| Item | Details |
|---|---|
| Scan Date | 2026-05-29T18:42:28Z |
| SBOM File | xxxx |
| SBOM Type | cyclonedx |
| Number of Packages | 1532 |
| Number of PURLs | 1529 |
Vulnerabilities
| Package | Version | Vulnerability | Source | CVSS Score | Severity | EPSS Probability | EPSS Percentile |
|---|---|---|---|---|---|---|---|
| ansi-regex | 4.1.1 | CVE-2021-3807 | NVD | 7.5 (v3.1) | HIGH | 0.00397 | 0.74348 |
| axios | 1.11.0 | GHSA-43fc-jf86-j433 | GITHUB | 7.5 (v3.1) | HIGH | 0.00067 | 0.20669 |
| fast-xml-parser | 4.4.1 | CVE-2026-27942 | NVD | 2.7 (v4) | LOW | 0.00056 | 0.17594 |
Licence
Licenced under the Apache 2.0 Licence.
Limitations
This tool only processes components in the SBOM with a valid PURL identifier.
Network access is required to access the vulnerability database. If this is not available, a limited amount of package metadata will be included.
Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sbomscan-0.1.0-py3-none-any.whl.
File metadata
- Download URL: sbomscan-0.1.0-py3-none-any.whl
- Upload date:
- Size: 12.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0438074d2dc8338b48e802c722db6b1734735beaff0e7033e90445cabef833af
|
|
| MD5 |
7955b118e3574c0c7d3e52fd6c7dd720
|
|
| BLAKE2b-256 |
e93de28008c380dcc3890581ccff06ab0ecbc259b4581f3619ed766bdeda220a
|
