From Git Commit to CRA Release.

The modular CLI tool for embedded teams

SBOM generation, artifact management, update files, SD card images, and compliance in one tool. Fully self-hosted. No cloud dependency.

Explore Features Get in Touch

The Problem

No SBOM Automation

External dependencies are tracked manually. CVE checks are missing or happen too late. SBOM formats are inconsistent.

Fragmented Toolchain

Separate tools for build, artifacts, updates, and images. No continuous traceability path from commit to release.

CRA Deadline December 2027

The EU Cyber Resilience Act requires SBOM, vulnerability management, and technical documentation. The clock is ticking.

Modules

SBOM

Software Bill of Materials for CRA compliance.

  • CycloneDX 1.5 & SPDX 2.3
  • CVE check via OSV.dev
  • Policy audit & SBOM diff

Artifact

Artifact management with full traceability.

  • Publish, provision, verify
  • bigMeta.yaml traceability
  • Tree-hash deduplication

Update

Secure update files for embedded devices.

  • makeself .run files
  • Ed25519 signing
  • AES-256-GCM encryption

Build

Build integration for cross-compilation.

  • CMake preset generator
  • Conan 2 profiles
  • Post-build hooks

Image

SD card images for embedded platforms.

  • Image generation via loop device
  • Board profiles (Zynq, RPi4, ARM)
  • SD card flasher

Release

Release packages with full traceability.

  • Changelog from git history
  • Traceability report (HTML + JSON)
  • SHA-256 checksums

The Pipeline

Git Commit

SBOM

Artifact

Update / Image

Release

CRA Report

EU Cyber Resilience Act

What CRA Requires

  • Software Bill of Materials (SBOM) for all products
  • Active vulnerability management
  • Technical documentation (10 years)
  • ENISA reporting for security incidents
  • Secure update mechanisms

What Kova Delivers

  • kova sbom generate — CycloneDX & SPDX automatically
  • kova sbom vuln — CVE check against OSV.dev
  • kova comply documentation — Art. 13 / Annex VII
  • kova comply enisa-report — Art. 14 notifications
  • kova update create --sign --encrypt — Ed25519 + AES-256
Deadline: December 2027

Technology

Python 3.11+ Click CLI Pydantic v2 CycloneDX 1.5 SPDX 2.3 Ed25519 AES-256-GCM makeself CMake Conan 2

No external services. Fully self-hosted. Runs on Linux — where embedded development happens.

Ready for CRA Compliance?

Innomatica GmbH, Ostfildern near Stuttgart, Germany

[email protected]  ·  +49 711 365 570 21

Get in Touch