• State Not Answered
  • Replies 8 replies
  • Subscribers 87 subscribers
  • Views 354 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 358748
Options

Sbom cve check RED EN 18031

Hdx

Hello,

I am currently evaluating and trying to conform to the regulation regarding the RED EN 18031 vulnerabilites checks and I am having some problems due to that the  sbom spdx file is incomplete both when I run the "ncs-sbom" and west spdx directly. I get an spdx file that seem to few keywords such as cpe, PackageVersion and PackageSupplier.

I am running 2.5.3 sdk currently on nRF52840.

For cve check I use cve-bin-tool.

This is the output when I run the spdx file generated by west and ncs-sbom:

• Report Generated: 2026-03-31  13:11:55                                                                                                                                                                                                                                                                     
 • Time of last update of CVE Data: 2026-03-31  09:30:46                                                                                                                                                                                                                                                      
┏━━━━━━━━━━┳━━━━━━━┓
┃ Severity ┃ Count ┃
┡━━━━━━━━━━╇━━━━━━━┩
│ CRITICAL │ 0     │
│ HIGH     │ 0     │
│ MEDIUM   │ 0     │
│ LOW      │ 0     │
│ UNKNOWN  │ 0     │
└──────────┴───────┘
╭─────────────╮
│ CVE SUMMARY │
╰─────────────╯
╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
└────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
└────────┴─────────┴─────────┴──────┴──────────┘

Parents
  • 0

    Hi Hadi,

    Thanks for reporting, I'm on it and will come back to you on this matter.

    Best regards,
    Benjamin

  • 0 in reply to Benjamin

    Hi Benjamin, any updates regarding this why the spdx report seem to be incomplete and the file is missing the packageversion and packagesuppliers?

  • 0 in reply to Hdx

    Hi Hadi,
    Thanks for waiting, we have been low staffed because of Easter holidays.

    I don't know what fields the cve-bin-tool needs to map CVE entries to software components. I tried to run it on a sample and it does find some components:

    ┏━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┓
┃ Vendor  ┃ Product                 ┃ Version     ┃
┡━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━┩
│ UNKNOWN │ hostap-deps             │ hostap_2_11 │
│ UNKNOWN │ mbedtls-deps            │ v3.6.5      │
│ UNKNOWN │ trusted-firmware-m-deps │ TF-Mv2.2.0  │
└─────────┴─────────────────────────┴─────────────┘

    I’m unsure whether the issue is that cve-bin-tool doesn’t recognize all components, or that it isn’t receiving enough information to identify them properly. I checked the documentation and it seems that there is no support for west spdx to include generating the keywords you are mentioning.

    Best     regards,
    Benjamin

  • 0 in reply to Benjamin

    Hello Benjamin,

    Thanks for the reply!

    Ok that is odd, I tried the ´west ncs-sbom´ first and that did not work and got no results. Then I tried the west spdx and got the same result. Do you mind providing the steps that you did to verify if I might have exlcuded something in my build? 

  • 0 in reply to Hdx

    I used the mcuboot_with_encryption sample, it was built using sysbuild and CONFIG_BUILD_OUTPUT_META=y. The only file I tested was modules-deps.spdx.

    west spdx --init -d build/mcuboot_with_encryption
west build --build-dir /some/path/mcuboot_with_encryption/build /Users/bebo/workspace/mcuboot_with_encryption --board nrf54l15dk/nrf54l15/cpuapp --sysbuild
west spdx -d build/mcuboot_with_encryption
cve-bin-tool \
  --sbom spdx \
  --sbom-file /some/path/mcuboot_with_encryption/build/mcuboot_with_encryption/spdx/modules-deps.spdx

  • 0 in reply to Benjamin

    Ok same as I do, the only difference is that the modules-deps.spdx does not exist for versions below ncs sdk 2.6.0 or 2.7.0 i think, so there is the problem. What is the solution in this case for us that use older version?

    I only get 3 spdx files, build.spdx, zephyr.spdx, and app.spdx.

Reply Children
No Data
Related
Terms of service