Skip to main content

vulkro sbom

Emit a Software Bill of Materials for the project. Same data as vulkro scan <path> --format cyclonedx, but a focused subcommand for the "I just need the SBOM" use case. Produce the inventory once with sbom, then match it against advisories whenever the CVE bundle updates with vulkro match-cve.

Included in the 14-day trial and in Pro.

Usage

vulkro sbom [PATH] --format cyclonedx > sbom.json
ArgumentDescriptionDefault
PATHPath to the project root..

Flags

FlagDescription
--format <FORMAT>Output format (default cyclonedx).
FormatMeaning
cyclonedxCycloneDX 1.6 JSON SBOM (library components). Default.
cyclonedx-1.7CycloneDX 1.7 JSON SBOM; same shape, newer specVersion.
spdxSPDX 2.3 JSON SBOM.
spdx3SPDX 3.0.1 JSON-LD SBOM (@context + @graph).
cbomCycloneDX 1.6 CBOM: one cryptographic-asset component per detected weak algorithm (MD5, SHA-1, ECB, RC4, DES, static IV, insecure RNG), with file:line occurrences.
cbom-1.7CycloneDX 1.7 CBOM with a richer post-quantum descriptor.
openvexOpenVEX 0.2.0 exploitability statements per dependency CVE, not_affected backed by reachability analysis.
cyclonedx-vexCycloneDX 1.6 VEX (the same verdicts as openvex).

The 1.6 / 2.3 formats stay the defaults; 1.7 / 3.0.1 are additive opt-ins.

Exit codes

  • 0 on success.
  • 2 on IO failure.

Examples

# CycloneDX 1.6 (default).
vulkro sbom . > sbom.cdx.json

# SPDX 2.3, then match against the local CVE bundle.
vulkro sbom . --format spdx > sbom.spdx.json
vulkro match-cve --sbom sbom.spdx.json --format table