Configuration
You can pass one or more TOML configuration files to the sbom-cve-check tool
using the --config flag.
If multiple configuration files are provided, they are merged. For example, if two configuration files are specified, the second file can add new options, replace, or extend options declared in the first file. Note that it is not possible to remove or unset a previously declared option.
The configuration file allows you to configure various elements, as detailed in the following subsections.
Configurable elements
Databases
You can add multiple CVE databases and annotation databases, as described in the database configuration section.
Databases are specified within the [databases] table.
Plugins
You can configure search paths for loading plugins using the plugins= option.
This option expects an array of paths, as described in more detail in the
plugins section.
If multiple configuration files include the plugins= option, the plugin
search paths are extended to include all specified paths.
Arguments
You can specify sbom-cve-check arguments directly in the configuration file.
These arguments are combined with those passed from the command line.
To add arguments in the configuration file, include them in the args= option
within the [sbom-cve-check] table. The value of args= must be an array of
strings.
For example, to enable verbose output, you can add the following to a TOML file:
[sbom-cve-check]
args = ["-vv"]
You can also specify all arguments in the configuration file if needed. For
example, with a configuration file named my-check.toml:
[sbom-cve-check]
args = [
"--sbom-path",
"my-image.rootfs.spdx.json",
"--export-type",
"yocto-cve-check-manifest",
"--export-path",
"out.json"
]
In this case, you only need to run sbom-cve-check with the --config
argument:
sbom-cve-check --config my-check.toml
Note: If relative paths are used in the args= array, they are resolved
relative to the current working directory, not relative to the configuration
file. Keep this limitation in mind.
Configuration generation
You can generate a configuration file that captures all the settings used during the current execution of the tool. This file includes references to databases, their versions, and the configuration applied, ensuring reproducibility and traceability.
To generate this file, use the --gen-repro-config flag and specify the output
file path for the generated TOML file.
For example, the generated configuration file will look like this:
plugins = []
[sbom-cve-check]
version = "1.1.0"
args = [
"--ignore-default-config",
"--sbom-type",
"spdx3",
"--sbom-path",
"/home/user/core-image-minimal-qemuarm.rootfs-20251009150829.spdx.json",
"--sbom-annotation-priority",
"100",
"--no-sbom-obsolete-assessment-check",
"--export-filter-vex-status",
"under_investigation",
"affected",
"--export-type",
"yocto-cve-check-manifest",
"--export-path",
"/home/user/out.json",
]
[databases.db-df75fa3da5f9aa1d9ed834d109641c47]
type = "yocto-vex-manifest"
name = "core-image-minimal-qemuarm.rootfs-20251009150829.json"
priority = 101
obsolete_assessment_check = false
path = "/home/user/core-image-minimal-qemuarm.rootfs-20251009150829.json"
[databases.db-6061bd924825afe789df126a89638e7d]
type = "cve-db-nvd-fkie"
name = "nvd-fkie"
priority = 50
path = "/home/user/.cache/sbom_cve_check/databases/nvd-fkie"
cache_index_path = "/home/user/.cache/sbom_cve_check/databases/nvd-fkie/.sbom-cve-check-cache-index.json"
git_url = "https://github.com/fkie-cad/nvd-json-data-feeds.git"
auto_update_max_age = "20h"
max_age_since_last_commit = true
git_ref = "85d3d6c26f07c422388022a474f73fb41bfd4831"
git_branch = "main"
[databases.db-88fa58ee2922dd1af5aff646df045c9f]
type = "cve-db-cvelist"
name = "cvelist"
priority = 50
path = "/home/user/.cache/sbom_cve_check/databases/cvelist"
cache_index_path = "/home/user/.cache/sbom_cve_check/databases/cvelist/.sbom-cve-check-cache-index.json"
git_url = "https://github.com/CVEProject/cvelistV5.git"
auto_update_max_age = "20h"
max_age_since_last_commit = true
git_ref = "41ac2ebbc96d246e94a9fc76a6463988b013dd0b"
git_branch = "main"