Today, we are happy to announce the first release of a brand new open-source project: sbom-cve-check, a lightweight CVE analysis tool for your Software Bill of Materials (SBOM). Written in Python, with minimal dependencies, and a very simple workflow in mind, sbom-cve-check will parse your SBOM (SPDX v2.2 or SPDX v3.0 currently supported), and using publicly available databases of security vulnerabilities, will generate a report of known security vulnerabilities affecting the software components listed in your SBOM.
This tool will be presented tomorrow, on December 2 at 3:40 PM during the Yocto Project Virtual Summit 2025.12 during a talk titled sbom-cve-check: Lightweight Python tooling for out-of-build CVE analysis of SPDX3 SBOMs, presented by Bootlin engineers Benjamin Robin and Olivier Benjamin.
Motivation
The initial motivation for sbom-cve-check is to have a replacement for the Yocto cve-check, which being part of Yocto itself, requires performing a Yocto build to perform a new CVE analysis. This doesn’t match the typical workflow of CVE analysis, where a given system image and its SBOM is produced once, and then CVE analysis needs to be performed on a regular basis to identify new vulnerabilities affecting the system image.
sbom-cve-check precisely allows to perform this CVE analysis independently from the build, with a very high efficiency (between a few dozens of seconds to 1-2 minutes depending on the size of the input SBOM), and with minimal complexity. Several other CVE analysis tool are very complex to setup and use: they have a Web front-end plus a back-end, a database, complex dependencies, require Docker containers, and more. sbom-cve-check is implemented in Python, takes a few command line arguments and gets the job done.
Key features
- Accepts an SBOM file as input: currently supports SPDX v2.2 and SPDX v3
- Supports multiple sources of vulnerability information: currently NVD and CVE List
- Can consume various annotation formats, like OpenVEX
- Generates exports in multiple formats, including SPDX v3
- Supports plugins to add additional features
- Filters affected CVEs based on compiled sources: if the source file affected by a CVE is not compiled in, this CVE is considered not applicable. Mostly useful to filter Linux kernel CVEs
- Very few dependencies, lightweight, easy to setup and use
- Fully open-source, under GPLv2
Getting started
Assuming you’re using Yocto, 4 easy steps:
- Install the tool:
pip install sbom-cve-check[extra]
(You may want to do this in a Python virtual environment) - Generate the SBOM with Yocto:
SPDXv3.0 is generated by default since Yocto Walnascar (5.2)
AddINHERIT += "vex"in yourlocal.conf - Retrieve two artifacts from the Yocto deploy directory:
${IMAGE_NAME}.rootfs.spdx.json: The SPDX v3.0 SBOM file.
${IMAGE_NAME}.rootfs.json: File generated by the vex.bbclass. - Run the CVE analysis:
sbom-cve-check --sbom-path ${IMAGE_NAME}.rootfs.spdx.json --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json --export-type yocto-cve-check-manifest --export-path out.json
Checkout the official documentation for more details on how to use sbom-cve-check, and don’t hesitate to contribute or report issues.
