Sbom cve check RED EN 18031

RE: Sbom cve check RED EN 18031

Benjamin — Mon, 13 Apr 2026 11:12:11 GMT

Hi,
Yes you are right, this was added in NCS v2.8.0. I don't have any quick fixes for making this work better with the cve-bin-tool. However I found this article online, you may want to have a look at that!

Benjamin

RE: Sbom cve check RED EN 18031

Hdx — Thu, 09 Apr 2026 08:22:27 GMT

Ok same as I do, the only difference is that the modules-deps.spdx does not exist for versions below ncs sdk 2.6.0 or 2.7.0 i think, so there is the problem. What is the solution in this case for us that use older version?

I only get 3 spdx files, build.spdx, zephyr.spdx, and app.spdx.

RE: Sbom cve check RED EN 18031

Benjamin — Thu, 09 Apr 2026 08:19:39 GMT

I used the mcuboot_with_encryption sample, it was built using sysbuild and CONFIG_BUILD_OUTPUT_META=y. The only file I tested was modules-deps.spdx.

west spdx --init -d build/mcuboot_with_encryption
west build --build-dir /some/path/mcuboot_with_encryption/build /Users/bebo/workspace/mcuboot_with_encryption --board nrf54l15dk/nrf54l15/cpuapp --sysbuild
west spdx -d build/mcuboot_with_encryption
cve-bin-tool \
  --sbom spdx \
  --sbom-file /some/path/mcuboot_with_encryption/build/mcuboot_with_encryption/spdx/modules-deps.spdx

RE: Sbom cve check RED EN 18031

Hdx — Wed, 08 Apr 2026 13:28:09 GMT

Hello Benjamin,

Thanks for the reply!

Ok that is odd, I tried the ´west ncs-sbom´ first and that did not work and got no results. Then I tried the west spdx and got the same result. Do you mind providing the steps that you did to verify if I might have exlcuded something in my build?

RE: Sbom cve check RED EN 18031

Benjamin — Wed, 08 Apr 2026 13:22:33 GMT

Hi Hadi,
Thanks for waiting, we have been low staffed because of Easter holidays.

I don't know what fields the cve-bin-tool needs to map CVE entries to software components. I tried to run it on a sample and it does find some components:

┏━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┓
┃ Vendor  ┃ Product                 ┃ Version     ┃
┡━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━┩
│ UNKNOWN │ hostap-deps             │ hostap_2_11 │
│ UNKNOWN │ mbedtls-deps            │ v3.6.5      │
│ UNKNOWN │ trusted-firmware-m-deps │ TF-Mv2.2.0  │
└─────────┴─────────────────────────┴─────────────┘

I’m unsure whether the issue is that cve-bin-tool doesn’t recognize all components, or that it isn’t receiving enough information to identify them properly. I checked the documentation and it seems that there is no support for west spdx to include generating the keywords you are mentioning.

Best regards,
Benjamin

RE: Sbom cve check RED EN 18031

Hdx — Tue, 07 Apr 2026 07:41:14 GMT

Hi Benjamin, any updates regarding this why the spdx report seem to be incomplete and the file is missing the packageversion and packagesuppliers?

RE: Sbom cve check RED EN 18031

Hdx — Wed, 01 Apr 2026 11:02:25 GMT

Hello Benjamin!

Thank you!

I'll be waiting for your response then :)

It is a bit urgent so appreciate if get an answer soon.

/Hd

RE: Sbom cve check RED EN 18031

Benjamin — Wed, 01 Apr 2026 10:51:37 GMT

Hi Hadi,

Thanks for reporting, I'm on it and will come back to you on this matter.

Best regards,
Benjamin