Hello,
I am currently evaluating and trying to conform to the regulation regarding the RED EN 18031 vulnerabilites checks and I am having some problems due to that the sbom spdx file is incomplete both when I run the "ncs-sbom" and west spdx directly. I get an spdx file that seem to few keywords such as cpe, PackageVersion and PackageSupplier.
I am running 2.5.3 sdk currently on nRF52840.
For cve check I use cve-bin-tool.
This is the output when I run the spdx file generated by west and ncs-sbom:
• Report Generated: 2026-03-31 13:11:55
• Time of last update of CVE Data: 2026-03-31 09:30:46
┏━━━━━━━━━━┳━━━━━━━┓
┃ Severity ┃ Count ┃
┡━━━━━━━━━━╇━━━━━━━┩
│ CRITICAL │ 0 │
│ HIGH │ 0 │
│ MEDIUM │ 0 │
│ LOW │ 0 │
│ UNKNOWN │ 0 │
└──────────┴───────┘
╭─────────────╮
│ CVE SUMMARY │
╰─────────────╯
╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
└────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭───────────────────────────────────────────────╮
│ Products with No Identified Vulnerabilities │
╰───────────────────────────────────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
└────────┴─────────┴─────────┴──────┴──────────┘
