SBOMgen

Creating SBOMs Using CVE-Bin-Tool

Introduction

This tutorial illustrates the generation of an SBOM using the cve-bin-tool CLI

Requirements

Python 3
pip
Git (for local installs)

Additional Requirements

The additional system requirements may need to be installed:

Windows

ar
7z
Expand
pdftotext

Linux

file
strings
tar
unzip
rpm2cpio
cpio
ar
cabextract

Installation

Run the following command:

pip install cve-bin-tool

Alternatively, with pipx or uv:

# pipx
pipx install cve-bin-tool
# uv
uv tool install cve-bin-tool

The repository can also be cloned, and installed locally:

# clone the git repo
git clone https://github.com/ossf/cve-bin-tool.git
# enter the repo
cd cve-bin-tool
# install the package
pip install -e .

Verify installation by running the command:

cve-bin-tool --help

You should see the resultant output:

usage: cve-bin-tool [-h] [-n {api,api2,json,json-mirror,json-nvd}] [-u {now,daily,never,latest}] [--nvd-api-key NVD_API_KEY] [-d DISABLE_DATA_SOURCE] [--use-mirror USE_MIRROR] [-i INPUT_FILE] [-C CONFIG] [-L PACKAGE_LIST]
                    [--sbom {spdx,cyclonedx,swid}] [--sbom-file SBOM_FILE] [--vex-file VEX_FILE] [-q] [-l {debug,info,warning,error,critical}] [-o OUTPUT_FILE] [--html-theme HTML_THEME] [-f {csv,json,json2,console,html,pdf}]
                    [--generate-config {yaml,toml,yaml,toml,toml,yaml}] [-c CVSS] [-S {low,medium,high,critical}] [--metrics] [--epss-percentile EPSS_PERCENTILE] [--epss-probability EPSS_PROBABILITY] [--no-0-cve-report]
                    [-A [<distro_name>-<distro_version_name>]] [-b [<distro_name>-<distro_version_name>]] [--affected-versions] [--sbom-output SBOM_OUTPUT] [--sbom-type {spdx,cyclonedx}] [--sbom-format {tag,json,yaml}]
                    [--vex-output VEX_OUTPUT] [--vex-type {cyclonedx,csaf,openvex}] [--product PRODUCT] [--release RELEASE] [--vendor VENDOR] [-rr REVISION_REASON] [--filter-triage] [-e EXCLUDE] [-V] [--disable-version-check]
                    [--disable-validation-check] [--offline] [--detailed] [-a [APPEND]] [-t TAG] [-m MERGE] [-F FILTER] [-s SKIPS] [-r RUNS] [--import-json IMPORT_JSON] [--ignore-sig] [--log-signature-error] [--verify PGP_PUBKEY_PATH]
                    [--export-json EXPORT_JSON] [--pgp-sign PGP_PRIVATE_KEY_PATH] [--passphrase PASSPHRASE] [--export EXPORT] [--import IMPORT] [--exploits] [--triage-input-file TRIAGE_INPUT_FILE] [-x] [--report]
                    [directory]

The CVE Binary Tool scans for a number of common, vulnerable open source
components (openssl, libpng, libxml2, libexpat and a few others) to let you know
if a given directory or binary file includes common libraries with known
vulnerabilities.

options:
  -h, --help            show this help message and exit
  -e, --exclude EXCLUDE
                        Comma separated Exclude directory path
  -V, --version         show program's version number and exit
  --disable-version-check
                        skips checking for a new version
  --disable-validation-check
                        skips checking xml files against schema
  --offline             operate in offline mode
  --detailed            add CVE description in csv or json report (no effect on console, html or pdf)

CVE Data Download:
  Arguments related to data sources and Cache Configuration

  -n, --nvd {api,api2,json,json-mirror,json-nvd}
                        choose method for getting CVE lists from NVD
  -u, --update {now,daily,never,latest}
                        update schedule for data sources and exploits database (default: daily)
  --nvd-api-key NVD_API_KEY
                        Specify NVD API key (used to improve NVD rate limit).
                        Set to `no` to ignore any keys in the environment.
  -d, --disable-data-source DISABLE_DATA_SOURCE
                        comma-separated list of data sources (CURL, EPSS, GAD, NVD, OSV, PURL2CPE, REDHAT, RSD) to disable (default: NONE)
  --use-mirror USE_MIRROR
                        use an mirror to update the database

Input:
  directory             directory to scan
  -i, --input-file INPUT_FILE
                        provide input filename
  -C, --config CONFIG   provide config file
  -L, --package-list PACKAGE_LIST
                        provide package list
  --sbom {spdx,cyclonedx,swid}
                        specify type of software bill of materials (sbom) (default: spdx)
  --sbom-file SBOM_FILE
                        provide sbom filename
  --vex-file VEX_FILE   provide vulnerability exchange (vex) filename for triage processing

Output:
  -q, --quiet           suppress output
  -l, --log {debug,info,warning,error,critical}
                        log level (default: info)
  -o, --output-file OUTPUT_FILE
                        provide output filename (default: output to stdout)
  --html-theme HTML_THEME
                        provide custom theme directory for HTML Report
  -f, --format {csv,json,json2,console,html,pdf}
                        update output format (default: console)
                        specify multiple output formats by using comma (',') as a separator
                        note: don't use spaces between comma (',') and the output formats.
  --generate-config {yaml,toml,yaml,toml,toml,yaml}
                        generate config file for cve bin tool in toml and yaml formats.
  -c, --cvss CVSS       minimum CVSS score (as integer in range 0 to 10) to report (default: 0)
  -S, --severity {low,medium,high,critical}
                        minimum CVE severity to report (default: low)
  --metrics             check for metrics (e.g., EPSS) from found cves
  --epss-percentile EPSS_PERCENTILE
                        minimum epss percentile of CVE range between 0 to 100 to report. Automatically enables `--metrics`
  --epss-probability EPSS_PROBABILITY
                        minimum epss probability of CVE range between 0 to 100 to report. Automatically enables `--metrics`
  --no-0-cve-report     only produce report when CVEs are found
  -A, --available-fix [<distro_name>-<distro_version_name>]
                        Lists available fixes of the package from Linux distribution
  -b, --backport-fix [<distro_name>-<distro_version_name>]
                        Lists backported fixes if available from Linux distribution
  --affected-versions   Lists versions of product affected by a given CVE (to facilitate upgrades)
  --sbom-output SBOM_OUTPUT
                        Provide software bill of materials (sbom) filename to generate
  --sbom-type {spdx,cyclonedx}
                        specify type of software bill of materials (sbom) to generate (default: spdx)
  --sbom-format {tag,json,yaml}
                        specify format of software bill of materials (sbom) to generate (default: tag)

Vex Output:
  Arguments related to Vex output document.

  --vex-output VEX_OUTPUT
                        Provide vulnerability exchange (vex) filename to generate
  --vex-type {cyclonedx,csaf,openvex}
                        specify type of vulnerability exchange (vex) to generate (default: cyclonedx)
  --product PRODUCT     Product Name
  --release RELEASE     Release Version
  --vendor VENDOR       Vendor/Supplier of Product
  -rr, --revision-reason REVISION_REASON
                        a reason for the update to the vex document should be specified in double quotes
  --filter-triage       Filter cves based on triage data from Vex file

Merge Report:
  Arguments related to Intermediate and Merged Reports

  -a, --append [APPEND]
                        save output as intermediate report in json format
  -t, --tag TAG         add a unique tag to differentiate between multiple intermediate reports
  -m, --merge MERGE     comma separated intermediate reports path for merging
  -F, --filter FILTER   comma separated tag string for filtering intermediate reports

Checkers:
  -s, --skips SKIPS     comma-separated list of checkers to disable
  -r, --runs RUNS       comma-separated list of checkers to enable

Database Management:
  --import-json IMPORT_JSON
                        import database from json files chopped by years
  --ignore-sig          do not verify PGP signature while importing json data
  --log-signature-error
                        when the signature doesn't match log the error only instead of halting (UNSAFE)
  --verify PGP_PUBKEY_PATH
                        verify PGP sign while importing json files
  --export-json EXPORT_JSON
                        export database as json files chopped by years
  --pgp-sign PGP_PRIVATE_KEY_PATH
                        sign exported json files with PGP
  --passphrase PASSPHRASE
                        required passphrase for signing with PGP
  --export EXPORT       export database filename
  --import IMPORT       import database filename

Exploits:
  --exploits            check for exploits from found cves

Deprecated:
  --triage-input-file TRIAGE_INPUT_FILE
                        replaced by --vex-file
  -x, --extract         autoextract compressed files
  --report              Produces a report even if there are no CVE for the respective output format

Available checkers: seahorse, gvfs, libgcrypt, lua, libsolv,
memcached, radvd, hwloc, openssh, patch, rsync, libvorbis, mailx,
dmidecode, postgresql, readline, unbound, minetest, modsecurity,
tesseract, flac, chess, timescaledb, iperf3, debianutils, gzip, upx,
dhcpcd, frr, libarchive, capnproto, zchunk, cryptsetup, axel, openssl,
git, pigz, putty, icecast, poppler, zstandard, samba, collectd,
rdesktop, ldns, kodi, neon, linux_kernel, miniupnpd, irssi,
apache_http_server, curl, gpsd, ppp, icu, pango, sslh, libsoup,
libvirt, firefox, clamav, lxc, quagga, acpid, libass, gdk_pixbuf,
ipmitool, liblas, janus, squashfs, gmp, libdb, haserl, proftpd,
civetweb, lz4, openldap, open_iscsi, wolfssl, tcpreplay, monit,
libjpeg, netkit_ftp, libidn2, raptor, fluidsynth, elfutils, sudo,
pcsc_lite, runc, libbpg, ipsec_tools, spice, tpm2_tss, dbus,
protobuf_c, micropython, tar, webkitgtk, libsamplerate, mtr, systemd,
rtl_433, perl, squid, kbd, dnsmasq, suricata, wireshark, libebml,
libraw, xerces, udisks, bzip2, mp4v2, qt, minidlna, libmicrohttpd,
speex, ncurses, bird, libtomcrypt, mini_httpd, bash, qpdf, libpcap,
libexpat, libical, unixodbc, dhclient, pixman, harfbuzz, zeek, ffmpeg,
trousers, mpv, logrotate, xml2, rsyslog, ntp, botan, libtiff, zabbix,
nghttp2, dpkg, grep, libevent, gnupg, libgit2, connman, syslogng,
gimp, librsync, opencv, util_linux, hdf5, u_boot, stellarium, libksba,
xscreensaver, luajit, openvpn, atftp, sngrep, coreutils, libconfuse,
gupnp, freerdp, openjpeg, docker, pure_ftpd, zsh, libcurl, dav1d,
yasm, gpgme, bubblewrap, nettle, xwayland, msmtp, dovecot, freeradius,
sqlite, libmemcached, haproxy, zlib, nano, thrift, nasm, thunderbird,
ceph, bind, jq, jacksondatabind, rauc, bwm_ng, socat, picocom, libvpx,
mariadb, iucode_tool, emacs, nmap, png, jack2, openswan, motion,
mdadm, file, tcpdump, darkhttpd, p7zip, nginx, gnomeshell, cpio,
openafs, libsndfile, netpbm, tinyproxy, transmission, libde265, libuv,
iwd, open_vm_tools, busybox, jasper, lrzip, f2fs_tools, libssh,
hunspell, gnutls, kubernetes, gcc, glib, bro, libsrtp, jhead, tor,
faad2, apparmor, snapd, bluez, exiv2, dropbear, strongswan, mupdf,
ttyd, libseccomp, doxygen, procps_ng, thttpd, pspp, python, gdal,
kerberos, libupnp, go, twonky_server, gstreamer, libcoap, vim,
domoticz, librsvg, pcre, mbedtls, cvs, minicom, hostapd, moby, gdb,
assimp, polarssl_fedora, dosfstools, stunnel, boinc, enscript,
sysstat, rtmpdump, subversion, sane_backends, asterisk, libvips,
iptables, cups, json_c, php, rpm, e2fsprogs, i2pd, node, chrony,
c_ares, bison, asn1c, netatalk, libnss, heimdal, netdata, vlc,
miniupnpc, keepalived, commons_compress, libtasn1, fastd, libyaml,
terminology, pcre2, ntfs_3g, sylpheed, nessus, lynx, ntpsec,
libvncserver, sdl, binutils, lldpd, cronie, varnish, lighttpd,
privoxy, libinput, znc, libopenmpt, ed, radare2, fribidi, mosquitto,
libxslt, libgd, traceroute, dhcpd, dotnet, sofia_sip, opensc, avahi,
vsftpd, mutt, qemu, davfs2, grub2, shadowsocks_libev, exim,
exfatprogs, accountsservice, gawk, ngircd, nbd, libheif, apcupsd,
lftp, snort, wpa_supplicant, glibc, vorbis_tools, libssh2, mysql,
kexectools, libjpeg_turbo, mpg123, ghostscript, libmodbus,
graphicsmagick, libmatroska, wget, rust

Available data sources: CURL, EPSS, GAD, NVD, OSV, PURL2CPE, REDHAT,
RSD

Available language scanners: dart, env, go, java, javascript, perl,
php, python, r, ruby, rust, swift

Usage

To create an SBOM run the following command within your software project:

cve-bin-tool . --sbom-type <sbom_type> --sbom-format <sbom-format> --sbom-output <sbom_filename>

Where:

<sbom_type> - either cyclonedx or spdx
<sbom_format> - either json, yaml or tag (tag value)
<sbom_filename> - the desired SBOM output name, e.g. bom.json

NOTE: SBOMs generated by the CLI can reveal filesystem information within the "occurrences" object. In order to prevent this, the flag --strip-scan-dir can be used to prevent this.

Example SBOM

The following section illustrates a CycloneDX JSON SBOM of the SBOM2DOC codebase, created with cve-bin-tool:

Pretty JSON Display

sbom2doc

Troubleshooting

This utility may face issues on MacOS.
There are discrepancies between the latest cli version available on Pypi and the version available on the GitHub repo. The version available in Pypi lacks the flag --strip-scan-dir and cannot strip evidence location paths, which may reveal sensitive information.

References

Ossf. (n.d.). GitHub - ossf/cve-bin-tool: The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions. GitHub. https://github.com/ossf/cve-bin-tool.
Anthonyharrison. (n.d.). GitHub - anthonyharrison/sbom2doc: Transform SBOM contents into a formatted document including markdown and PDF formats. GitHub. https://github.com/anthonyharrison/sbom2doc.