Today, we are happy to announce the first release of a brand new open-source project: sbom-cve-check, a lightweight CVE analysis tool for your Software Bill of Materials (SBOM). Written in Python, with minimal dependencies, and a very simple workflow in mind, sbom-cve-check will parse your SBOM (SPDX v2.2 or SPDX v3.0 currently supported), and using publicly available databases of security vulnerabilities, will generate a report of known security vulnerabilities affecting the software components listed in your SBOM.
This tool will be presented tomorrow, on December 2 at 3:40 PM during the Yocto Project Virtual Summit 2025.12 during a talk titled sbom-cve-check: Lightweight Python tooling for out-of-build CVE analysis of SPDX3 SBOMs, presented by Bootlin engineers Benjamin Robin and Olivier Benjamin.
Motivation
The initial motivation for sbom-cve-check is to have a replacement for the Yocto cve-check, which being part of Yocto itself, requires performing a Yocto build to perform a new CVE analysis. This doesn’t match the typical workflow of CVE analysis, where a given system image and its SBOM is produced once, and then CVE analysis needs to be performed on a regular basis to identify new vulnerabilities affecting the system image.
sbom-cve-check precisely allows to perform this CVE analysis independently from the build, with a very high efficiency (between a few dozens of seconds to 1-2 minutes depending on the size of the input SBOM), and with minimal complexity. Several other CVE analysis tool are very complex to setup and use: they have a Web front-end plus a back-end, a database, complex dependencies, require Docker containers, and more. sbom-cve-check is implemented in Python, takes a few command line arguments and gets the job done.
Key features
- Accepts an SBOM file as input: currently supports SPDX v2.2 and SPDX v3
- Supports multiple sources of vulnerability information: currently NVD and CVE List
- Can consume various annotation formats, like OpenVEX
- Generates exports in multiple formats, including SPDX v3
- Supports plugins to add additional features
- Filters affected CVEs based on compiled sources: if the source file affected by a CVE is not compiled in, this CVE is considered not applicable. Mostly useful to filter Linux kernel CVEs
- Very few dependencies, lightweight, easy to setup and use
- Fully open-source, under GPLv2
Getting started
Assuming you’re using Yocto, 4 easy steps:
- Install the tool:
pip install sbom-cve-check[extra]
(You may want to do this in a Python virtual environment) - Generate the SBOM with Yocto:
SPDXv3.0 is generated by default since Yocto Walnascar (5.2)
AddINHERIT += "vex"in yourlocal.conf - Retrieve two artifacts from the Yocto deploy directory:
${IMAGE_NAME}.rootfs.spdx.json: The SPDX v3.0 SBOM file.
${IMAGE_NAME}.rootfs.json: File generated by the vex.bbclass. - Run the CVE analysis:
sbom-cve-check --sbom-path ${IMAGE_NAME}.rootfs.spdx.json --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json --export-type yocto-cve-check-manifest --export-path out.json
Checkout the official documentation for more details on how to use sbom-cve-check, and don’t hesitate to contribute or report issues.
Does it run with scarthgap?
Hello, it runs with Scarthgap, as stated in the documentation. Do you have any issues running the tool with Scarthgap (if you do, please create an issue on GitHub)?