Metadata-Version: 2.4
Name: sbom_cve_check
Version: 1.3.0
Summary: Lightweight SBOM CVE analysis tool
Project-URL: Repository, https://github.com/bootlin/sbom-cve-check
Project-URL: Documentation, https://sbom-cve-check.readthedocs.io/en/latest/
Author-email: Benjamin Robin <benjamin.robin@bootlin.com>
License: GPL-2.0-only
License-File: LICENSE
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Bug Tracking
Requires-Python: >=3.10
Requires-Dist: python-dateutil; python_version < '3.11'
Requires-Dist: spdx-python-model==0.0.5
Requires-Dist: tomli>=1.1.0; python_version < '3.11'
Provides-Extra: extra
Requires-Dist: argcomplete>=3.6; extra == 'extra'
Requires-Dist: pyyaml>=6.0; extra == 'extra'
Requires-Dist: tomli-w>=1.0.0; extra == 'extra'
Description-Content-Type: text/markdown

# sbom-cve-check

`sbom-cve-check` is a lightweight, standalone and easy-to-use tool
that parses Software Bill Of Materials (SBOM) files and using publicly
available databases of security vulnerabilities (CVEs), provides a
report detailing which software components are affected by known
security vulnerabilities.

Key features provided by this tool:

- Accepts an SBOM file as input: currently supports SPDXv2.2 and SPDXv3.
- Supports multiple sources of vulnerability information: currently
  [NVD](https://github.com/fkie-cad/nvd-json-data-feeds) and [CVE List](
  https://github.com/CVEProject/cvelistV5).
- Can consume various annotation formats, like OpenVEX.
- Generates exports in multiple formats, including SPDX v3.0.
- Supports plugins to add additional features.
- Filters affected CVEs based on compiled sources: if the source file
  affected by a CVE is not compiled in, this CVE is considered not
  applicable. Mostly useful to filter Linux kernel CVEs.
- Has very few dependencies, is very lightweight and easy to set up and use.
- Fully open-source, under GPLv2.

See the [sbom-cve-check documentation](
https://sbom-cve-check.readthedocs.io/en/latest/index.html) for further details.

## Motivation

This tool was started as a way of replacing the *cve-check* logic
implemented in Yocto, which requires running a full build to perform a
new CVE analysis. `sbom-cve-check` instead can run on the SBOM
produced once by Yocto Project and can be used to regularly run the CVE
analysis in less than a minute.

## Getting started

Assuming you're using Yocto Project, 4 easy steps:

1. **Install** the tool:<br>
   `pip install sbom-cve-check[extra]`<br>
   (You may want to do this in a Python virtual environment).

2. **Generate** the SBOM with Yocto Project:<br>
   SPDXv3.0 is generated by default since Yocto ProjectWalnascar (5.2).<br>
   Add `INHERIT += "vex"` in your `local.conf`.

3. **Retrieve** two artifacts from the Yocto Project`deploy` directory:<br>
   `${IMAGE_NAME}.rootfs.spdx.json`: The SPDX v3.0 SBOM file.<br>
   `${IMAGE_NAME}.rootfs.json`: File generated by the vex.bbclass.

4. **Run** the CVE analysis:<br>
   ```
    sbom-cve-check \
      --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \
      --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \
      --export-type yocto-cve-check-manifest --export-path out.json
   ```

## Roadmap

- Add support of Ubuntu CVE tracker repository.
- Automatically detect if a patch was backported.
- Add more export formats, like for example OpenVEX.
- Add CycloneDX (CDX) SBOM support as input.
- Allow to generate an SBOM (CDX or SPDX 3.0) as output even if the
  SBOM specified as input is in another format.

## Compatibility with Yocto Project

The compatibility with the SBOM generated by Yocto Project is described in the
[Yocto Project SBOM](
https://sbom-cve-check.readthedocs.io/en/latest/sbom.html#yocto-project-sbom) section.
