Cyber Resilience Act
← All CRA tools
CRA Toolbox · Vulnerability Analyzer

Vulnerability Analyzer

An automated pipeline that evaluates your system inventory against global security intelligence to support EU Cyber Resilience Act (CRA) compliance. It tracks machine-readable Software Bills of Materials (SBOMs), cross-references active vulnerabilities against the National Vulnerability Database (NVD) and the EU Vulnerability Database (EUVD), and uses the Gemini AI engine to compile the risk assessment and End-of-Life (EOL) documentation required for market conformity.

SBOM · SPDX-JSON NVD EUVD Report · .PDF
Environment Data Extraction Instructions
To analyze a target environment, you must first collect its local software inventory profile and active vulnerability manifests. Follow the two-step checklist below to install the necessary compliance tools on your target machine, run the data retrieval commands, and generate the exact tracking files required for ingestion by this platform.
⬡ Step 1: Install Dependencies & Libraries
Install System Utilities (Debsecan):
$ sudo apt update && sudo apt install -y debsecan
Install SBOM Engine (Syft):
$ curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
Install LSB Release (OS Version Core):
$ sudo apt-get install -y lsb-release
⬡ Step 2: Run Retrieval Commands
Generate Machine-Readable SBOM (JSON format):
$ sudo syft scan dir:/var/lib/dpkg -o spdx-json > sbom.json
Generate Active Unpatched Vulnerability Dataset:
$ sudo debsecan --suite sid | grep -v "fixed" | grep -v "obsolete" > OPENVED.txt
Capture System Architecture & OS Version:
$ uname -r > Version ; lsb_release -a >> Version
Which files do you need?

To run the analysis and generate Cyber Resilience Act (CRA) evidence, please note the following file requirements:

  • OPENVED.txt (Required): The active vulnerability list. The analysis cannot run without it.
  • sbom.json (Optional): The Software Bill of Materials. While optional, it is strongly recommended to include component inventories in your final report.
  • Version File (Optional): Used to identify the OS and determine its End-of-Life (EOL) status.

💡 Note: To generate full CRA evidence, you must provide both the vulnerability list and the SBOM. If the Version file is missing, the system will use the SBOM combined with AI to deduce the system's EOL.

File upload

sbom.json
SPDX-JSON · syft output
loaded
OPENVED.txt
Filtered debsecan output
loaded
Version
OS version · uname + lsb_release
loaded
Log
--:--:-- Drop OPENVED.txt (required) and sbom.json (recommended) to begin
Analysis complete
Download report