We are pleased to announce the release of sbom-cve-check v1.2.0, which focuses on offline usability, improved SPDX 3.0 support, and more flexible export options.
For the record, sbom-cve-check is a lightweight, standalone and easy-to-use tool that parses Software Bill Of Materials (SBOM) files and using publicly available databases of security vulnerabilities (CVEs), provides a report detailing which software components are affected by known security vulnerabilities. sbom-cve-check is developed and maintained by Bootlin engineer Benjamin Robin.
In the next sections we will describe the major updates brought by this 1.2.0 release.
Offline usage
This version introduces the --disable-auto-updates flag, which allows sbom-cve-check to run without network access by disabling automatic updates of Git databases.
Compression support
Added support for compression for input and exported files. Files with the .zst extension are automatically handled.
Improved exports
The export system has been enhanced in several ways:
- A new summary text report provides a concise, human-readable overview of the analysis results. This feature was contributed by core Yocto/OpenEmbedded contributor Ross Burton.
- Exported files can now be written directly to standard output.
- The
--export-spdx-pkg-include-vexoption allows VEX information to be linked directly to binary packages in SPDX 3 exports, providing compatibility for downstream tools that cannot trace back to the recipe to locate VEX information
Better SPDX 3.0 support
Package extraction from SPDX 3.0 SBOMs has been updated. SBOMs no longer require a build_Build object, and specification packages are now supported. Additionally, patches associated with VEX “fixed” relationships are extracted when available, improving remediation tracking.
Smarter annotation handling
Annotation application is now stricter: an annotation is only applied if both the component identifier and version match. This reduces incorrect CVE associations caused by version mismatches in SBOMs.
Yocto integration
The work on integrating sbom-cve-check is making progress: several prerequisites, including a recipe for sbom-cve-check itself have already been merged into OpenEmbedded-Core, and Benjamin Robin has posted the 4th iteration of the patch series integrating sbom-cve-check in Yocto.
Conclusion
Version 1.2.0 makes sbom-cve-check more robust and adaptable to a variety of workflows, particularly for offline environments and automated pipelines. Users are encouraged to upgrade to take advantage of the new features and improved SPDX 3.0 handling. Don’t hesitate to provide your feedback!
