Skip to content

Generating a Debian SBOM with Syft

Syft can be installed as:

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin

You can find the full installation methods documentation, here.

You can then list debian dependencies in a filesystem in a cyclonedx-json SBOM as:

syft /var/lib/dpkg --select-catalogers="debian" -o cyclonedx-json > bom.json

You can then feed it to the CVEScan scan-inventory subcommand:

cvescan scan-inventory --inventory bom.json

The produced report can be explored and/or uploaded to CVEScan WebUI.