Back in December 2025, we announced the release of sbom-cve-check, a lightweight CVE analysis tool for your Software Bill of Materials (SBOM). Since the announcement, we have announced a number of updates and new releases, but work has continued, and we have several new updates to share about sbom-cve-check.
Integration into Yocto 6.0 Wrynose
The Yocto Project has just announced the release of their version 6.0, codenamed Wrynose.
Among the important changes brought by this new release is that Bootlin’s sbom-cve-check has been integrated as the new official tool for CVE analysis, replacing the previous cve-check tool that was part of Yocto. We are proud of this achievement, which makes sbom-cve-check the new reference tool in the Yocto ecosystem for CVE analysis. sbom-cve-check can be executed from the Yocto Project thanks to the sbom-cve-check class.
Support from Schneider Electric
Many of Schneider Electric’s industrial products rely on Embedded Linux as the operating system for their embedded devices. Because these products require maintenance over very long life cycles, Schneider Electric uses the Yocto Project as the foundation for building and maintaining their Firmware platforms.
In this context, the absence of a modern open-source tool capable of performing post-build analysis of SPDX3 SBOMs was becoming a bottleneck for effective security maintenance workflows. To address this gap, Schneider Electric took the initiative to fund the initial development of sbom-cve-check, laying the groundwork for a more robust and automated open-source approach to vulnerability management.
This support helps Bootlin carry out the maintenance of sbom-cve-check, ensuring that the project remains sustainable and continues to evolve in line with the Embedded Linux ecosystem within a continuously evolving cybersecurity context.
New releases of sbom-cve-check
Since our last blog post announcing version 1.2.1, two new releases have been published: 1.3.0 and 1.3.1. Here are some of the highlights of those releases:
- Relative Paths in TOML: Paths in TOML configuration files can now be relative to the current working directory. By default, paths remain relative to the directory containing the TOML file.
- Products Database: Added a products database to map vendor and product names to Component Identifiers, addressing cases where the CVEList database lacks CPEs.
- CNA Database: Added a CNA database for improved CNA/ADP identification and handling.
- ADP Entry Exclusion: Outdated ADP entries are now excluded if a CNA has updated its entry more recently.
- Enhanced VEX Assessment: Improved VEX assessment generation with clearer messages indicating the version in which vulnerabilities were fixed, as detailed in the design documentation.
- Version Parsing: Updated version parsing to support formats like 5-1.3.4.
- Dependency Compatibility: Updated code to ensure compatibility with spdx_python_model==0.0.5 (generated by shacl2code 1.0.1).
- Deprecated Options: Removed deprecated option flags.
- New CLI Flag: Added the –set-db-cfg argument flag for database configuration from the command line.
- Changed license from GPL-2.0-only to GPL-2.0-or-later.
- Added ty static type checker and fixed associated warnings.
- And of course a number of fixes and smaller improvements.
Registered as an official SPDX tool
Finally, sbom-cve-check is now registered as one of the official SPDX tool on SPDX.dev.
