Today we are excited to announce the first release of a brand new open source project: sbom cve checka lightweight CVE analysis tool for your Software Bill of Materials (SBOM). Written in Python, with minimal dependencies and a very simple workflow in mind, sbom-cve-check analyzes your SBOM (SPDX v2.2 or SPDX v3.0 is currently supported) and produces a report on known vulnerabilities affecting the software components listed in your SBOM using publicly available vulnerability databases.
This tool will be presented tomorrow, December 2nd, at 3:40 p.m. during the Yocto Project Virtual Summit 2025.12 during a lecture entitled sbom-cve-check: Lightweight Python tool for out-of-build CVE analysis of SPDX3 SBOMspresented by Bootlin engineers Benjamin Robin And Olivier Benjamin.
motivation
The initial motivation for sbom-cve-check is supposed to have a replacement for the Yocto cve checkwhich is part of Yocto itself, requires performing a Yocto build to perform a new CVE analysis. This does not correspond to the typical CVE analysis workflow, where a given system image and its SBOM are created once and then a CVE analysis must be performed periodically to identify new vulnerabilities that impact the system image.
sbom-cve-check allows this CVE analysis to be carried out precisely, regardless of the build, with a very high efficiency (between a few tens of seconds to 1-2 minutes, depending on the size of the input SBOM) and with minimal complexity. Several other CVE analysis tools are very complex to set up and use: they have a web frontend and backend, a database, complex dependencies, require Docker containers, and more. sbom-cve-check is implemented in Python, takes a few command line arguments and gets the job done.
Key Features
- Accepts an SBOM file as input: Currently supports SPDX v2.2 and SPDX v3
- Supports multiple sources of vulnerability information: currently NVD and CVE list
- Can use various annotation formats such as OpenVEX
- Generates exports in multiple formats including SPDX v3
- Supports plugins to add additional functionality
- Filters affected CVEs based on compiled sources: If the source file affected by a CVE is not compiled, that CVE is considered inapplicable. Mostly useful for filtering Linux kernel CVEs
- Very few dependencies, lightweight, easy to set up and use
- Completely open source, under GPLv2
First steps
Assuming you use Yocto, 4 easy steps:
- Install the tool:
pip install sbom-cve-check(extra)
(You may want to do this in a Python virtual environment) - Generate the SBOM with Yocto:
SPDXv3.0 is generated by default since Yocto Walnascar (5.2).
AddINHERIT += "vex"in yourslocal.conf - Retrieve two artifacts from the Yocto Deploy directory:
${IMAGE_NAME}.rootfs.spdx.json: The SPDX v3.0 SBOM file.${IMAGE_NAME}.rootfs.json: File generated by the vex.bb class. - Run the CVE analysis:
sbom-cve-check --sbom-path ${IMAGE_NAME}.rootfs.spdx.json --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json --export-type yocto-cve-check-manifest --export-path out.json
Check them out official documentation More information on how to use it can be found here sbom-cve-checkand don’t hesitate contribute or Report problems.
