2025-12-02 –, Walnascar
We are happy to announce the first release of a brand new open-source project: sbom-cve-check, a lightweight CVE analysis tool for your Software Bill of Materials (SBOM). Written in Python, with minimal dependencies and a very simple workflow in mind, sbom-cve-check will parse your SBOM (SPDX v2.2 or SPDX v3.0 currently supported), and using publicly available databases of security vulnerabilities, will generate a report of known security vulnerabilities affecting the software components listed in your SBOM.
sbom-cve-check was conceived to help produce artifacts necessary in vulnerability assessment which will be a periodic action for CRA compliance. Developers, integrators and manufacturers will need to archive the SBOM as part of a release, and regularly conduct automated vulnerability reporting. Yocto today is able to generate the SBOM for its builds, and can also do CVE analysis. Our main problem was that this capability is intricately tied to the build, and cannot be replicated based on only the SBOM: one must rerun the whole build.
We present sbom-cve-check: a new tool to conduct automated vulnerability analysis based on the SBOM, without rebuild, and relying on the open SPDX3 standard. sbom-cve-check aims at being an efficient replacement for the cve-check logic currently available in Yocto. It pulls from several databases, including NVD and CVE List, and supports multiple annotation formats, such as Open VEX and Yocto's custom format. sbom-cve-check currently supports the following export formats: SPDX3, CSV and Yocto's cve-check output format.
The tool is provided under the GPLv2 license, and contributions are of course welcome :).
Olivier Benjamin is a security engineer with 13 years of experience. He
joined Bootlin in 2024. Prior to joining Bootlin, he has worked in
various security roles, on the offensive side doing vulnerability
research for french firm Quarkslab and reverse engineering for the
french Ministry of Defence, as well as in incident response at AWS.
Benjamin Robin is an embedded Linux engineer with 14 years of
experience. He joined Bootlin in 2025. Before joining Bootlin, he held
roles as both an embedded software engineer and an embedded Linux
engineer. Over the years, he gained extensive experience across a wide
range of industries, including transportation, aerospace, automotive,
medical, and defense. He has developed significant expertise in
building custom BSP layers using Yocto for projects involving various
frameworks.