Inventory normalization
native + Syft
Parses CycloneDX, SPDX and Syft into one canonical component model so every later check sees the same inventory.
12 analyses · 1 verdict
A single upload runs twelve independent analyses: inventory, quality, conformance, multi-engine vulnerabilities and exploit prioritization. Here is exactly what each one does.
native + Syft
Parses CycloneDX, SPDX and Syft into one canonical component model so every later check sees the same inventory.
sbomqs
Scores versions, licenses, suppliers, PURLs, CPEs and hashes - a clean scan on a poor SBOM is flagged as low confidence.
ntia-conformance-checker
Checks the NTIA minimum-elements baseline every compliant SBOM must meet.
Grype
Matches components to known CVEs by package and version across many ecosystems.
OSV-Scanner
Cross-checks the same inventory against the OSV database for a second, independent verdict.
cve-bin-tool
Finds CVEs in compiled and C/C++ components that package-name matching alone misses.
Trivy
Adds broad cross-ecosystem CVE coverage as a third scanning engine.
OSV.dev
Queries the OSV.dev API live by PURL so fresh advisories show up without waiting for a DB refresh.
CISA KEV
Flags vulnerabilities listed in the CISA Known Exploited Vulnerabilities catalog - fix these first.
EPSS
Adds the EPSS 30-day exploit-probability score so triage follows real-world likelihood, not just severity.
native
Rolls findings up per dependency - version gaps, missing identifiers and CVEs - into one risk level with a recommended action.
native merger
Deduplicates findings across all engines by (CVE, component), keeps per-engine attribution, and emits one VirusTotal-style verdict.
Built for embedded
Zephyr and Yocto already emit SPDX SBOMs at build time. Produce them in your build, then drop them here for all twelve analyses.
west generates SPDX 2.3 from your build. Enable CONFIG_BUILD_OUTPUT_META:
west spdx --init -d build # set CONFIG_BUILD_OUTPUT_META=y west build -d build west spdx -d build # → build/spdx/app.spdx, zephyr.spdx, # build.spdx, modules-deps.spdx
The create-spdx class is inherited by default (INHERIT_DISTRO). Building an image emits an SPDX JSON:
bitbake core-image-minimal # → tmp/deploy/images/MACHINE/ # IMAGE-MACHINE.spdx.json # meta-timesys / sbom-cve-check add # CVE feeds to the Yocto flow
CRA readiness
The Cyber Resilience Act references the SBOM in Annex I, Part II, point (1), and Article 14 requires reporting of actively exploited vulnerabilities: early warning within 24h, notification within 72h, final report within 14 days of a fix (applies from 11 September 2026). This tool documents your gaps and prioritizes CVEs - it makes no certification claims.
Read the full CRA and SBOM evidence guideVerified sources: docs.zephyrproject.org · docs.yoctoproject.org · digital-strategy.ec.europa.eu/en/policies/cra-reporting
Create a free account to save your scan history and results across devices, re-open and rescan any SBOM, and use our API to scan from CI and pull results programmatically.