README
¶
SBOM CVE Checker
A lightweight command-line tool that reads a Software Bill of Materials (SBOM) in XLSX or CSV format, queries the National Vulnerability Database (NVD) for known CVEs, and writes a detailed CSV report. The program is written entirely in Go with no external dependencies.
Features
- 📄 Supports both XLSX and CSV SBOM inputs
- ⏳ Text-based progress bar while scanning components
- 🔑 Optional NVD API key for higher rate limits
- 📊 Report includes CVE ID, CVSS score, severity, URL, and description
- 🧮 Summary counts for total CVEs and severities (high/medium/low)
- 🕒 Summary includes scan start/end times and total duration
Installation
# Clone and build
git clone https://github.com/b4siliskk/sbom-cve-checker.git
cd sbom-cve-checker
go build
# (Optional) install globally
sudo mv sbom_cve_checker /usr/local/bin/
Requirements
- Go 1.18+
- Internet connectivity (for NVD queries)
- SBOM file with two columns: component name and version
Usage
# Scan an XLSX SBOM
./sbom_cve_checker --input SBOM-example.xlsx --output report.csv
# Scan a CSV SBOM
./sbom_cve_checker --input SBOM-example.csv --output report.csv
# Use an NVD API key for faster rate limits (≈1 req/sec)
./sbom_cve_checker --input SBOM-example.xlsx --apikey "$NVD_API_KEY" --output report.csv
# Show tool version
./sbom_cve_checker --version
Without an API key the tool waits ~7 seconds between requests to respect NVD's public rate limit (5 requests per 30 seconds).
SBOM Format
The input file must contain at least two columns: the component name and its version. The first row is treated as a header and will be skipped during processing. Only .xlsx and .csv files are supported.
Getting an NVD API Key
Using an API key raises your rate limit to roughly one request per second.
-
Visit the NVD API key request page.
-
Complete and submit the form. A key will be emailed to you.
-
Set the key as an environment variable or pass it via the
--apikeyflag:export NVD_API_KEY="your-key-here" ./sbom_cve_checker --input SBOM-example.xlsx --apikey "$NVD_API_KEY" --output report.csv
If the --apikey flag is omitted, the tool falls back to the NVD_API_KEY environment variable if it is set.
Output
- CSV report: one row per component/CVE with columns
Component, Version, CVE ID, CVSS, Severity, URL, Description - Summary printed to stdout with counts of components, total CVEs, and severity breakdown
License
MIT License
Copyright (c) 2025 Met Gashi
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Documentation
¶
There is no documentation for this package.
Source Files