Introduction

CVE Scan is a software tool that extracts CVEs from a Software Bill of Materials (SBOM). While originally developed for Yocto it can be used for non-Yocto projects thanks to its compatibility with CycloneDX and SPDX standardized SBOM formats.

CVE Scan has 3 modes of operation:

• Scan, where it parses all software components from a SBOM and queries various data sources (the NIST NVD and optionaly the Ubuntu CVE tracker) to produce a JSON report that lists all CVEs applicable to the product;
• Filter, where CVE scans ingests a JSON report produced by the Scan operation and filters out various false positives based on additional information from the SBOM (e.g. kernel configuration), external sources (e.g. the Linux kernel source repositories). The Ubuntu CVE tracker can also be used in this step to consolidate references to available vulnerability patches.
• Export, where it transforms a JSON report in another format (CSV for manual processing, YAML or JUnit) and integrate manual annotations in the exported report.

CVE Scan also comes with a dedicated Web User Interface to efficiently browse through the vulnerabilities, annotate them and keep track of the progress done on multiple projects.

The main goal of CVE Scan is to facilitate the monitoring of vulnerabilities on software products by lowering the number of false positives down to a manageable amount, and propose an efficient way to iterate the manual assessment of the remaining ones.