Skip to main content

vulkro match-cve

Match a Software Bill of Materials against the local CVE bundle and emit findings. Companion to vulkro sbom: produce the SBOM once, then run CVE matching on it whenever the bundle updates. Accepts CycloneDX 1.5 / 1.6 or SPDX 2.3 JSON input.

Offline-safe: reads only the SBOM file and the local CVE bundle. No network calls. Included in the 14-day trial and in Pro.

Usage

vulkro match-cve --sbom ./sbom.json

Flags

FlagDescription
--sbom <FILE>Path to the SBOM JSON file (CycloneDX 1.5 / 1.6 or SPDX 2.3). Required.
--format <FORMAT>json (default, an array of finding records) or table (human-readable).

Exit codes

  • 0 success, no findings.
  • 1 findings emitted.
  • 2 IO error.

Examples

# Produce the SBOM once.
vulkro sbom . --format cyclonedx > sbom.json

# Re-match whenever the CVE bundle refreshes.
vulkro update
vulkro match-cve --sbom sbom.json --format table