░██████╗██████╗░░█████╗░███╗░░░███╗░░░░░░██████╗░░░░░░░██╗░░░█████╗░██╗░░░██╗███████╗
██╔════╝██╔══██╗██╔══██╗████╗░████║░░░░░░╚════██╗░░░░░░╚██╗░██╔══██╗██║░░░██║██╔════╝
╚█████╗░██████╦╝██║░░██║██╔████╔██║█████╗░░███╔═╝█████╗░╚██╗██║░░╚═╝╚██╗░██╔╝█████╗░░
░╚═══██╗██╔══██╗██║░░██║██║╚██╔╝██║╚════╝██╔══╝░░╚════╝░██╔╝██║░░██╗░╚████╔╝░██╔══╝░░
██████╔╝██████╦╝╚█████╔╝██║░╚═╝░██║░░░░░░███████╗░░░░░░██╔╝░╚█████╔╝░░╚██╔╝░░███████╗
╚═════╝░╚═════╝░░╚════╝░╚═╝░░░░░╚═╝░░░░░░╚══════╝░░░░░░╚═╝░░░╚════╝░░░░╚═╝░░░╚══════╝`
This applications aim is to take an SPDX Software Bom of Materials and return a JSON of the CVE's.
- Handling for wrapped SPDX, if another tool has created your SBOM and wrapped the SPDX inside something - for example an in-toto attestation, this tool will handle that
- Concurrency, this tool will chunk the spdx and run concurrently, so if your SBOM is of a whole operating system, it will still output very quickly
- Full level of detail in the output, the vulnerability list JSON will contain all the information available on the CVE (Description, details, versions, remediations and so on)
- Relatively pretty cli using lipgloss package (css for the cli)
This application was build with go 1.24.3
- Clone the repo
- cd into the directory sbom2cve
- run:
go build ./main.go
./main run [SBOM Path] # This intakes a local SBOM and returns CVE's as JSON
./main -h # this reveals a help command with all the options possible currentlyThe program will output a vulnerability_report.json containing all the vulnerable packages and the vulnerability details If no vulnerabilities are found you will be notified in the cli and no report will output.