vulkro sbom
Emit a Software Bill of Materials for the project. Same data as
vulkro scan <path> --format cyclonedx, but a focused subcommand for the
"I just need the SBOM" use case. Produce the inventory once with sbom,
then match it against advisories whenever the CVE bundle updates with
vulkro match-cve.
Included in the 14-day trial and in Pro.
Usage
vulkro sbom [PATH] --format cyclonedx > sbom.json
| Argument | Description | Default |
|---|---|---|
PATH | Path to the project root. | . |
Flags
| Flag | Description |
|---|---|
--format <FORMAT> | Output format (default cyclonedx). |
| Format | Meaning |
|---|---|
cyclonedx | CycloneDX 1.6 JSON SBOM (library components). Default. |
cyclonedx-1.7 | CycloneDX 1.7 JSON SBOM; same shape, newer specVersion. |
spdx | SPDX 2.3 JSON SBOM. |
spdx3 | SPDX 3.0.1 JSON-LD SBOM (@context + @graph). |
cbom | CycloneDX 1.6 CBOM: one cryptographic-asset component per detected weak algorithm (MD5, SHA-1, ECB, RC4, DES, static IV, insecure RNG), with file:line occurrences. |
cbom-1.7 | CycloneDX 1.7 CBOM with a richer post-quantum descriptor. |
openvex | OpenVEX 0.2.0 exploitability statements per dependency CVE, not_affected backed by reachability analysis. |
cyclonedx-vex | CycloneDX 1.6 VEX (the same verdicts as openvex). |
The 1.6 / 2.3 formats stay the defaults; 1.7 / 3.0.1 are additive opt-ins.
Exit codes
0on success.2on IO failure.
Examples
# CycloneDX 1.6 (default).
vulkro sbom . > sbom.cdx.json
# SPDX 2.3, then match against the local CVE bundle.
vulkro sbom . --format spdx > sbom.spdx.json
vulkro match-cve --sbom sbom.spdx.json --format table
Related
vulkro match-cve- match an SBOM against the CVE bundle.vulkro cra-bundle- staple SBOM + VEX + evidence into one zip.- Output formats - every SBOM and format documented.