debsbom sec-scan
Synopsis
debsbom sec-scan [-h] [-t {cdx,spdx}] [--author AUTHOR]
[--default-product {component,distribution}]
[--product PRODUCT] [--db DB] [--distro DISTRO] [--update-db]
[--filter FILTER] [-f {text,json,sarif,vex}]
[--min-urgency {high,medium,low,unimportant,end-of-life,not-yet-assigned}]
[--tracker TRACKER] [--with-paths-to-root]
[bomin]
Description
Check sbom for security vulnerabilities
Scans packages from an SBOM for security vulnerabilities.
JSON Output Schema
When the application is run with JSON output enabled (via the --json flag),
status messages are emitted as single-line JSON objects to standard output.
Each line represents a distinct scan result (e.g. vulnerability affecting a package).
The schema for these JSON objects is as follows:
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://raw.githubusercontent.com/siemens/debsbom/refs/heads/main/src/debsbom/schema/schema-sec-scan.json",
"title": "Security Scan Result",
"definitions": {
"vulnerability": {
"type": "object",
"required": [
"id",
"status",
"urgency",
"tracker"
],
"properties": {
"id": {
"type": "string",
"description": "Vulnerability identifier (CVE or temporary ID)"
},
"status": {
"type": "string",
"enum": [
"resolved",
"undetermined",
"open"
],
"description": "Current vulnerability status"
},
"urgency": {
"type": "string",
"enum": [
"high",
"medium",
"low",
"unimportant",
"end-of-life",
"not-yet-assigned"
],
"description": "Urgency level"
},
"fixed-in": {
"type": [
"string"
],
"description": "Version in which the vulnerability is fixed"
},
"desc": {
"type": [
"string"
],
"description": "Vulnerability description"
},
"tracker": {
"type": [
"string"
],
"format": "uri",
"description": "URL to the vulnerability tracker entry"
},
"debianbug": {
"type": "integer",
"description": "Debian bug id"
},
"bugreport": {
"type": [
"string"
],
"format": "uri",
"description": "URL to the debian bug tracker entry"
},
"nodsa": {
"type": [
"string"
],
"description": "Reason why no DSA is issued"
}
},
"additionalProperties": false
},
"pathsToRoot": {
"type": "object",
"properties": {
"allShortest": {
"type": "array",
"items": {
"$ref": "schema-trace-path.json"
}
}
}
}
},
"type": "object",
"required": [
"package",
"purl",
"vulnerability"
],
"properties": {
"package": {
"type": "string",
"description": "Package name and version"
},
"purl": {
"type": "string",
"description": "Package URL (PURL) identifier"
},
"vulnerability": {
"$ref": "#/definitions/vulnerability"
},
"pathsToRoot": {
"$ref": "#/definitions/pathsToRoot"
}
},
"additionalProperties": false
}
Options
Positional Arguments
- bomin
sbom file(s) to process for ‘bomin’. Use ‘-’ to read from stdin
Named Arguments
- -t, --sbom-type
SBOM type to process (default: auto-detect), required when reading from stdin
Possible choices: cdx, spdx
- --author
author of the document (-f vex only)
- --default-product='component'
controls whether the component or distribution is used as the product in VEX statements (-f vex only, default: ‘component’)
Possible choices: component, distribution
- --product
product to use in VEX statements, overwrites the behavior of –default-product (-f vex only)
- --db=~/.cache/debsbom/security-tracker.json
path to Debian security tracker JSON database (default: ~/.cache/debsbom/security-tracker.json)
- --distro='trixie'
Debian distribution to check (default: ‘trixie’)
- --update-db=False
download the security tracker database (from –tracker) and store it at the path specified by –db
- --filter
limit search to a specific package name
- -f='text', --format='text'
output format (default: ‘text’)
Possible choices: text, json, sarif, vex
- --min-urgency='not-yet-assigned'
filter CVEs by urgency (default: ‘not-yet-assigned’)
Possible choices: high, medium, low, unimportant, end-of-life, not-yet-assigned
- --tracker='https://security-tracker.debian.org/tracker'
URL of upstream debian security tracker (default: ‘https://security-tracker.debian.org/tracker’)
- --with-paths-to-root=False
emit path from component to root per affected package (-f json only)
SEE ALSO
debsbom-generate(1)
DEBSBOM
Part of the debsbom(1) suite.