Skip to content

Work with Cybersecurity

How to manage cybersecurity projects, upload bills of materials, track vulnerability metrics, and submit VEX documents using the cs commands.

Browse projects

List all root projects and their subprojects:

tlm-cli cs projects list

Filter to a specific root project by exact name:

tlm-cli cs projects list --name "gateway-model"

Inspect a specific project by UUID:

tlm-cli cs projects show <uuid>

The detail view includes the parent project (if any), last BOM import timestamp, current risk score, and all direct subprojects.

Create a root project

Root projects act as parent folders, one per IoT model. Before uploading a BOM you need a root project whose name matches the model. If you upload a BOM and the root project does not exist yet, it is created automatically — but you can also create it explicitly:

tlm-cli cs projects create "gateway-v2"

This resolves the model gateway-v2 from PMS and creates the corresponding root project.

Upload a bill of materials

Upload a CycloneDX-compatible BOM file for a specific firmware version:

tlm-cli cs bom upload ./sbom.json --model "gateway-v2" --version "1.2.0"

The CLI resolves the model from PMS, uses the firmware name as the subproject name, and the model name as the parent project name. The subproject is created automatically if it does not yet exist.

Preview what would be uploaded without sending:

tlm-cli cs bom upload ./sbom.json --model "gateway-v2" --version "1.2.0" --dry-run

Tip

Use tlm-cli pms models show MODEL_NAME to confirm the firmware name before uploading — that name becomes the subproject name.

Check vulnerability metrics

Once a BOM has been processed, retrieve the CVE metrics for a project over a date range:

tlm-cli cs metrics cves <uuid> --start 20260101 --end 20260131

Dates must be in YYYYMMDD format. The output table shows daily snapshots with critical, high, medium, and low vulnerability counts plus the inherited risk score.

To get the UUID of a specific firmware version project, use projects list or projects show.

Clone a project to a new version

When a new firmware version is released, clone an existing project rather than starting from scratch:

tlm-cli cs projects clone <uuid> --version "1.3.0"

By default, the clone carries tags, components, the dependency graph, and audit history. Additional flags control what is copied:

# Also copy ACL entries
tlm-cli cs projects clone <uuid> --version "1.3.0" --include-acl

# Skip component data (useful for structural scaffolding only)
tlm-cli cs projects clone <uuid> --version "1.3.0" --no-components

# Mark the clone as the latest version
tlm-cli cs projects clone <uuid> --version "1.3.0" --make-latest

Cloning is asynchronous — the new project appears in cs projects list once the service has processed it (usually within a few seconds).

After cloning, the new project lands at the root level. Move it under the correct parent:

tlm-cli cs projects move <clone-uuid> --parent-uuid <root-project-uuid>

Upload a VEX document

Upload a VEX document to suppress or contextualise known vulnerabilities. Target the project by UUID:

tlm-cli cs vex upload ./vex.json --project-uuid <uuid>

Or by name and version:

tlm-cli cs vex upload ./vex.json --project-name "gateway-fw" --project-version "1.2.0"

Preview without uploading:

tlm-cli cs vex upload ./vex.json --project-uuid <uuid> --dry-run