cvemap icon indicating copy to clipboard operation
cvemap copied to clipboard
verified publisher icon projectdiscovery

Check vulnerabilities against a SBOM and create VEX document

Open anthonyharrison opened this issue 9 months ago • 1 comments

Please describe your feature request:

Add a SBOM containing a list of components and report the identified vulnerabilities are relevant to the SBOM. If so, optionally create a VEX document in one of the standard formats (CycloneDX (easiest), other options are CSAF, OpenVEX, SPDX)

Describe the use case of this feature:

Scanning SBOMs for vulnerabilities is #1 use case for SBOMs. Triaging and reporting vulnerabilities in a machine readable format (i.e. VEX) is a growing need.

anthonyharrison avatar Mar 28 '25 15:03 anthonyharrison

Hi, I’m interested in this feature request and would like to contribute to implementing it.
Is there already any design discussion or direction on how SBOM + VEX support should be integrated into cvemap?

For example, assuming an SBOM is already provided (e.g., bom.json),
a possible workflow could look like:

cvemap scan --sbom bom.json --output vex.json --format cyclonedx-vex

jjhwan-h avatar Sep 11 '25 13:09 jjhwan-h