Welcome to CVE Scan !

CVE Scan is a software tool that extracts CVEs from a Software Bill of Materials (SBOM). While originally developed for Yocto it can be used for non-Yocto projects thanks to its compatibility with CycloneDX and SPDX standardized SBOM formats.

CVE Scan provides advanced filtering options to get rid of false positives, leveraging information from Yocto build and various sources of vulnerabilities and patches to automatically assess the relevance of each vulnerability on your product, and manually assess the remaining ones.

CVE Scan also comes with a dedicated Web User Interface to efficiently browse through the vulnerabilities, annotate them and keep track of the progress done on multiple projects.

The main goal of CVE Scan is to facilitate the monitoring of vulnerabilities on software products by lowering the number of false positives down to a manageable amount, and propose an efficient way to iterate the manual assessment of the remaining ones.