With embedded devices now everywhere, from home appliances to industrial systems, it is vital to regularly check them for CVEs so that any known vulnerabilities in software components can be identified and addressed before they lead to security risks.

Regularly monitoring these CVEs will be mandatory in various cases to comply with the EU Cyber Resilience Act (CRA), which pushes the industry toward more accountable and proactive security in embedded systems.

We present sbom-cve-check: a new automated vulnerability-analysis tool based on an SBOM, without requiring access to the original build systems. The SBOM is initially obtained from build systems such as Yocto or Buildroot.

sbom-cve-check supports SBOMs in SPDX2 or SPDX3 formats, and CycloneDX compatibility is planned. The tool aims to be an efficient replacement for the cve-check logic currently available in Yocto. It pulls from several databases, including NVD and the CVE List, and supports multiple annotation formats such as OpenVEX and Yocto’s custom format. sbom-cve-check currently supports the following export formats: SPDX3, CSV, and Yocto’s cve-check output format.

The tool is provided under the GPLv2 license, and contributions are of course welcome :)