vulkro match-cve
Match a Software Bill of Materials against the local CVE bundle and emit
findings. Companion to vulkro sbom: produce the SBOM once,
then run CVE matching on it whenever the bundle updates. Accepts CycloneDX
1.5 / 1.6 or SPDX 2.3 JSON input.
Offline-safe: reads only the SBOM file and the local CVE bundle. No network calls. Included in the 14-day trial and in Pro.
Usage
vulkro match-cve --sbom ./sbom.json
Flags
| Flag | Description |
|---|---|
--sbom <FILE> | Path to the SBOM JSON file (CycloneDX 1.5 / 1.6 or SPDX 2.3). Required. |
--format <FORMAT> | json (default, an array of finding records) or table (human-readable). |
Exit codes
0success, no findings.1findings emitted.2IO error.
Examples
# Produce the SBOM once.
vulkro sbom . --format cyclonedx > sbom.json
# Re-match whenever the CVE bundle refreshes.
vulkro update
vulkro match-cve --sbom sbom.json --format table
Related
vulkro sbom- produce the SBOM to match.vulkro update- refresh the local CVE bundle.- Dependencies and CVEs - the SCA pipeline.