SBOM Component CVE Checker

A Software Bill of Materials (SBOM) is a machine-readable inventory of all software components in a product — including open-source libraries, third-party SDKs, and firmware components. CRA Annex I references the need to identify and document components used in products with digital elements. An SBOM makes it much faster to assess exposure when a new CVE is published for a component you use.

This tool accepts free-form component lists in common formats: package@version (npm, pip, Go modules), groupId:artifactId:version (Maven), and plain component names. For full SBOM document validation, use SPDX or CycloneDX format validators. This tool is designed for rapid manual triage, not full SBOM ingestion.

The two dominant SBOM formats are SPDX (ISO/IEC 5962) and CycloneDX. Both are accepted by most tooling and procurement frameworks. CycloneDX is often preferred for security use cases as it natively supports vulnerability data (VEX). SPDX is more widely supported for license compliance. Consider generating both.

This tool generates NVD search links for each component — it does not query the NVD API directly. Click any component link to open the NVD search results in a new tab. CVD Portal's full SBOM monitoring feature integrates directly with the NVD API to alert you when new CVEs are published for components in your registered SBOMs.

CPE (Common Platform Enumeration) is the standard identifier format used by the NVD. A CPE looks like: cpe:2.3:a:vendor:product:version:*:*:*:*:*:*:*. Many package managers have CPE dictionaries. The NVD also provides a CPE search tool. Mapping your SBOM to CPEs enables precise automated vulnerability matching.