UniBOM: Unified SBOM & Vulnerability Tool

• UniBOM is an advanced SBOM tool that integrates binary, filesystem, and source code analysis to precisely detect dependencies and vulnerabilities.
• It employs historical CPE tracking and AI-based classification for detailed memory-safety and CVSS severity assessment in diverse software environments.
• The toolkit overcomes metadata limitations by surfacing non-package-managed dependencies in C/C++ projects, enhancing overall risk management.

UniBOM is an advanced, unified Software Bill of Materials (SBOM) generation, analysis, and visualization tool designed to address precision gaps in dependency detection and vulnerability management—especially in the context of complex, heterogeneous, and package-metadata-deficient software such as IoT systems and embedded devices. By integrating binary, filesystem, and source code analysis, UniBOM achieves fine-grained vulnerability detection and risk management across modern networked systems, emphasizing support for non-package-managed ecosystems such as C/C++. Key features include comprehensive historical CPE (Common Platform Enumeration) tracking, AI-based vulnerability classification along both severity and memory-safety axes, and an interactive visualization framework. UniBOM demonstrates superior coverage in vulnerability identification relative to existing SBOM solutions and is delivered as an open-source Docker-packaged toolkit (Safronov et al., 27 Nov 2025).

1. Motivation and Challenges in SBOM Generation

The proliferation of large, heterogeneous software stacks in IoT and embedded environments has intensified the need for precise dependency and vulnerability accounting. Over 70% of known vulnerabilities in these platforms are associated with memory-safety issues. Conventional SBOM tools such as Syft, Trivy, and Microsoft’s sbom-tool are primarily metadata-driven, which results in the omission of dependencies statically baked into binaries and ineffective extraction of non–package-managed C/C++ dependencies. Furthermore, these prior solutions lack systematic integration of historical vulnerability context and explicit memory-safety classification. UniBOM is introduced to resolve these gaps by enabling:

• Precise SBOM generation from binaries, filesystems, and source code
• Integrated vulnerability mapping (CPE→CVE→CWE) and historical analysis
• Classification and prioritization of vulnerabilities by both CVSS severity and memory class
• Interactive visualization supporting both risk-centric and provenance-centric perspectives (Safronov et al., 27 Nov 2025)

2. System Architecture and End-to-End Workflow

UniBOM implements a Node.js CLI front-end orchestrating a standardized Dockerized pipeline. Its core analyzers and workflow (as depicted in Figure 1 of (Safronov et al., 27 Nov 2025)) are:

• Binwalk: Extracts firmware images, including compressed filesystems, binaries, and associated metadata.
• Syft: Generates an SBOM (typically in SPDX or CycloneDX format) from raw file system or container image.
• CCScanner: Performs source-level discovery of C/C++ dependencies in the absence of standard build-flavored package files (such as conan.lock or vcpkg.json).
• Grype: Consumes the SBOM and enumerates all mapped vulnerabilities, correlating components via CPE 2.3 strings to CVEs and CWEs.

The UniBOM workflow comprises:

Step	Action
0. Input Format Identification	Determines if input is image, filesystem, firmware, or source tree
1. SBOM Generation	Invokes Syft or CCScanner to produce SBOM and CPE lists
2. Vulnerability Extraction	Maps each SBOM item to CPE→CVE→CWE via NVD
3. Advanced Analysis	Performs historical CPE comparison, memory-safety categorization (GPT-based), and cross-version SBOM comparison

This sequence supports end-to-end analysis on arbitrary software artifacts, including those lacking conventional metadata.

3. Historical CPE Analysis and Vulnerability Mapping

UniBOM implements historical dependency mapping using its -getHistory function (e.g., unibom -getHistory cpe:2.3:a:openssl:openssl:1.1.1), extracting all prior versions of a specified CPE, retrieving associated CVEs, and mapping these to their underlying CWEs and memory-safety classes. The output is tabular, as shown below (excerpt from Table 1 of (Safronov et al., 27 Nov 2025)):

CPE	CVE	CWE	Memory class
cpe:2.3:a:openssl:openssl:1.1.1	CVE-2021-3712	125	spatial
	CVE-2022-4450	415	temporal
	CVE-2021-3449	476	spatial

This feature enables security teams to visualize the temporal dimension of component risk, supporting longitudinal vulnerability tracking and remediation prioritization.

4. AI‐Driven Vulnerability Classification and Prioritization

UniBOM uses a GPT-based model for explicit memory-safety class assignment. Each CWE, or associated CVE where the CWE description is unavailable, is categorized as:

• Not memory-related
• Spatial memory-related (e.g., buffer overflow, CWE-787)
• Temporal memory-related (e.g., use-after-free, CWE-416)
• Other memory-related

CVSS base scores for each CVE, as sourced from NVD/Grype, map into standard qualitative bands:

• Low: $0.0 \leq \text{CVSS} < 4.0$
• Medium: $4.0 \leq \text{CVSS} < 7.0$
• High: $7.0 \leq \text{CVSS} < 9.0$
• Critical: $9.0 \leq \text{CVSS} \leq 10.0$

A combined risk scoring formula is not present; CVSS and memory-safety axes are treated independently (Safronov et al., 27 Nov 2025). This approach supports multi-dimensional prioritization in vulnerability management.

5. Discovery of C/C++ Dependencies Absent Package Metadata

A significant technical advancement in UniBOM is the integration of CCScanner for non-package-managed C/C++ ecosystems. Standard tools fail to capture dependencies in the absence of build-flavored metadata. UniBOM's source-level strategy includes:

• Parsing of build scripts (Makefile, CMakeLists, Bazel WORKSPACE)
• Analysis of #include directives and linked library statements
• Canonical normalization of third-party dependencies to CPE 2.3 entries

This approach ensures that both direct and transitive dependencies in C/C++ projects are surfaced, forming a foundation for vulnerability and SBOM completeness that is unattainable via metadata-only methods (Safronov et al., 27 Nov 2025).

6. Empirical Evaluation and Comparative Coverage

UniBOM’s efficacy is evaluated on two datasets:

• Firmware Binaries: 258 wireless router firmware images (D-Link, OpenWrt, TRENDnet). Only Syft and UniBOM extract non-trivial SBOM content; UniBOM’s integrated pipeline eliminates manual orchestration.
• IoT OS Source Codebases: Raspberry Pi Linux, Zephyr, Nuttx, OpenWrt 23.05.5, OpenWrt Latest.

Summary of CVE coverage (Tables 4–5, (Safronov et al., 27 Nov 2025)):

Tool	Firmware Total CVEs	IoT OS Total CVEs
sbom-tool	0	0
Trivy	0	5
Syft	4582	9
CCScanner	0	57
UniBOM	4582	56

Only UniBOM and Syft achieve nonzero binary extraction; UniBOM recovers the broadest set of vulnerabilities (e.g., +10 CVEs versus CCScanner and +23 versus Syft on IoT OS code). While the paper does not report precision/recall, these raw counts indicate substantially greater coverage by UniBOM (Safronov et al., 27 Nov 2025).

7. Visualization, Limitations, and Future Directions

UniBOM includes a Web-GUI with interactive dashboards (Figures 5–6, (Safronov et al., 27 Nov 2025)), supporting:

• Component-level views: CVE counts by severity and memory class, “what-if” analyses of memory protection adoption (e.g., CHERI, Rust)
• Historical trends: pie charts, time-series, Pareto rankings, and detailed CVE per-version tables

Current limitations include the absence of a unified risk-score combining CVSS and memory-safety, as well as reliance on public NVD data (rendering zero-day vulnerabilities undetectable). Planned extensions target CI/CD integration, deepening DevSecOps incorporation, support for additional languages and binary formats (e.g., micro-controllers), and interoperability with AI-based supply chain provenance schemes (such as TAIBOM).

UniBOM, available as a Docker-packaged open-source toolkit with CLI and Web GUI components, unifies the full spectrum of SBOM analysis—binary, filesystem, and source—combining historical vulnerability tracking, AI risk classification, and advanced visual analytics in a comprehensive framework for security accountability and supply chain transparency (Safronov et al., 27 Nov 2025).