Scroll to navigation

DEBSBOM-SEC-SCAN(1) debsbom DEBSBOM-SEC-SCAN(1)

NAME

debsbom-sec-scan - debsbom sec-scan command

SYNOPSIS

debsbom sec-scan [-h] [-t {cdx,spdx}] [--author AUTHOR]


                 [--default-product {component,distribution}]


                 [--product PRODUCT] [--db DB] [--distro DISTRO] [--update-db]


                 [--filter FILTER] [-f {text,json,sarif,vex}]


                 [--min-urgency {high,medium,low,unimportant,end-of-life,not-yet-assigned}]


                 [--tracker TRACKER] [--with-paths-to-root]


                 [bomin]


DESCRIPTION

Check sbom for security vulnerabilities

Scans packages from an SBOM for security vulnerabilities.

JSON Output Schema

When the application is run with JSON output enabled (via the --json flag), status messages are emitted as single-line JSON objects to standard output. Each line represents a distinct scan result (e.g. vulnerability affecting a package).

The schema for these JSON objects is as follows:

{


  "$schema": "https://json-schema.org/draft/2020-12/schema",


  "$id": "https://raw.githubusercontent.com/siemens/debsbom/refs/heads/main/src/debsbom/schema/schema-sec-scan.json",


  "title": "Security Scan Result",


  "definitions": {


    "vulnerability": {


      "type": "object",


      "required": [


        "id",


        "status",


        "urgency",


        "tracker"


      ],


      "properties": {


        "id": {


          "type": "string",


          "description": "Vulnerability identifier (CVE or temporary ID)"


        },


        "status": {


          "type": "string",


          "enum": [


            "resolved",


            "undetermined",


            "open"


          ],


          "description": "Current vulnerability status"


        },


        "urgency": {


          "type": "string",


          "enum": [


            "high",


            "medium",


            "low",


            "unimportant",


            "end-of-life",


            "not-yet-assigned"


          ],


          "description": "Urgency level"


        },


        "fixed-in": {


          "type": [


            "string"


          ],


          "description": "Version in which the vulnerability is fixed"


        },


        "desc": {


          "type": [


            "string"


          ],


          "description": "Vulnerability description"


        },


        "tracker": {


          "type": [


            "string"


          ],


          "format": "uri",


          "description": "URL to the vulnerability tracker entry"


        },


        "debianbug": {


          "type": "integer",


          "description": "Debian bug id"


        },


        "bugreport": {


          "type": [


            "string"


          ],


          "format": "uri",


          "description": "URL to the debian bug tracker entry"


        },


        "nodsa": {


          "type": [


            "string"


          ],


          "description": "Reason why no DSA is issued"


        }


      },


      "additionalProperties": false


    },


    "pathsToRoot": {


      "type": "object",


      "properties": {


        "allShortest": {


          "type": "array",


          "items": {


            "$ref": "schema-trace-path.json"


          }


        }


      }


    }


  },


  "type": "object",


  "required": [


    "package",


    "purl",


    "vulnerability"


  ],


  "properties": {


    "package": {


      "type": "string",


      "description": "Package name and version"


    },


    "purl": {


      "type": "string",


      "description": "Package URL (PURL) identifier"


    },


    "vulnerability": {


      "$ref": "#/definitions/vulnerability"


    },


    "pathsToRoot": {


      "$ref": "#/definitions/pathsToRoot"


    }


  },


  "additionalProperties": false
}


OPTIONS

Positional Arguments

sbom file(s) to process for 'bomin'. Use '-' to read from stdin

Named Arguments

SBOM type to process (default: auto-detect), required when reading from stdin

Possible choices: cdx, spdx

author of the document (-f vex only)
controls whether the component or distribution is used as the product in VEX statements (-f vex only, default: 'component')

Possible choices: component, distribution

product to use in VEX statements, overwrites the behavior of --default-product (-f vex only)
path to Debian security tracker JSON database (default: ~/.cache/debsbom/security-tracker.json)
Debian distribution to check (default: 'trixie')
download the security tracker database (from --tracker) and store it at the path specified by --db
limit search to a specific package name
output format (default: 'text')

Possible choices: text, json, sarif, vex

filter CVEs by urgency (default: 'not-yet-assigned')

Possible choices: high, medium, low, unimportant, end-of-life, not-yet-assigned

https://security-tracker.debian.org/tracker'
URL of upstream debian security tracker (default: 'https://security-tracker.debian.org/tracker')
emit path from component to root per affected package (-f json only)

SEE ALSO

debsbom-generate(1)

DEBSBOM

Part of the debsbom(1) suite.

Author

Christoph Steiger, Felix Moessbauer

Copyright

2025, Siemens

May 29, 2026