Back in December 2025, we announced the release of sbom-cve-check, a lightweight CVE analysis tool for your Software Bill of Materials (SBOM).
Since the release announcement, the project has continued its development, and in this blog post, we wanted to share a number of updates about this project: a new 1.1.0 release, a new meta-sbom-cve-check layer, possible integration into the Yocto Project, and a talk at FOSDEM.
sbom-cve-check 1.1.0
After a first 1.0.1 release on December 1, 2025, sbom-cve-check main developer and maintainer Benjamin Robin has published on Feb 4, 2026 the new 1.1.0 release. The changelog gives all the details, but here are the main highlights:
- Added support for Python 3.10, increasing compatibility with older systems
- Added experimental support for Windows.
- Improved performance when removing outdated assessments or CVSS metrics associated with vulnerabilities.
- Enhanced logging messages for better clarity.
- Added statement and justification fields to the exported Yocto VEX manifest.
- Included package version alongside component version in exported files, as the two may differ during vulnerability analysis.
- Added the ability to generate a TOML configuration file to reproduce the current tool execution. Use the
--gen-repro-configflag to generate this file. - Improved code and user documentation.
There were also a number of fixes, such as restoring support for parallel execution (running multiple instances of sbom-cve-check in parallel).
meta-sbom-cve-check
sbom-cve-check itself is build system agnostic, and can operate on any SPDX3 compliant SBOM, regardless of what tool generated it. However, it is clear that an important target of sbom-cve-check is to be used alongside the Yocto Project, as a replacement for the built-in cve-check mechanism.
In order to facilitate the integration with the Yocto Project, we have developed and published meta-sbom-cve-check. This layer allows to perform mainly two things:
- “Build”/install the sbom-cve-check tool and its dependencies (as a native tool) when doing a Yocto build, making the tool readily available to perform CVE analysis
- Optionally, enable the CVE analysis to occur directly as part of the build, reproducing the workflow that is achieved today using Yocto’s built-in cve-check. While we believe this workflow is not ideal, as the CVE analysis is generally performed independently from the build, we wanted to provide a smooth transition for users who are used to the cve-check workflow
Possible adoption by the Yocto Project
On Feb 4, 2026, prominent Yocto contributor Ross Burton posted a message titled Comparing cve-check with sbom-cve-check on the openembedded-core mailing list.
In his message, Ross reports on his successful testing of sbom-cve-check, and his comparison against the Yocto built-in cve-check. Ross concludes his message with:
If this is done then I think sbom-cve-check is at least at parity with cve-check, and in many ways far superior. This will allow us to merge the few recipes and class from meta-sbom-cve-check into core, and delete cve-check.
This is of course a very positive feedback, and in his TLDR summarizing his findings, Ross was even clearer:
I think we can swap cve-check for sbom-cve-check in the LTS if we hurry.
We are definitely thrilled to see such a positive feedback on sbom-cve-check, and we’re looking forward to seeing it adopted more widely by the Yocto Project.
Talk at FOSDEM
In order to raise awareness about sbom-cve-check, Benjamin Robin took the stage at the recent FOSDEM conference for a lightning talk titled sbom-cve-check: Lightweight open-source CVE analysis tool for your embedded systems. Check out the video below to get a quick overview of sbom-cve-check and its capabilities.
