Dependencies & CVEs
Vulkro matches your dependency manifests against a local CVE bundle:
package.json+package-lock.json/yarn.lock/pnpm-lock.yamlrequirements.txt/Pipfile.lock/poetry.lockCargo.toml+Cargo.lockgo.sum
The bundle aggregates OSV + NVD + CISA KEV + EPSS and is refreshed daily by Vulkro's internal bundler.
How matching works
Each detected package + version is looked up in the local CVE bundle
(~/.vulkro/data/cves/<ecosystem>.json). A finding is emitted per
matched (package, vulnerable-range) pair, carrying:
cve_id-CVE-2024-...severity-Critical | High | Medium | Lowcvss- base scoredescription- short summarykev_added- date if listed in CISA Known Exploited Vulnerabilitiesepss_score- exploit-prediction probability (0-1)vulnerable_symbols- for selected packages, the function names that carry the vulnerability (used by reachability)
The local bundle path is configurable via VULKRO_CDN_BASE_URL for
mirroring.
KEV / EPSS prioritisation
KEV-listed CVEs are bumped to Critical regardless of CVSS. EPSS >= 0.9 is bumped to High. The decoration modifies severity in place after the initial CVE match.
Your output looks like this:
DEPS
CVE-2024-21733 tomcat-embed-core 9.0.78
CISA KEV - actively exploited, added 2024-04-12 [reachable]
CVE-2024-29025 netty 4.1.107
EPSS 91% [unreachable]
Reachability annotation
For a curated set of packages - lodash, axios, requests, pyyaml,
jinja2, etc. - Vulkro knows which exported symbols carry the
vulnerability. If your code never calls those symbols, the finding is
tagged [unreachable]:
[reachable] - vulnerable_symbols are called from your code
[unreachable] - vulnerable_symbol not called from your code
Reachability dramatically cuts CVE noise on dependency-heavy projects. See Reachability for the algorithm and the curated list.
Refreshing the bundle
vulkro update # public CDN refresh
vulkro update --bundle ./vulkro-cve-2026-05-10.vkbundle # offline
VULKRO_OFFLINE=1 makes the no-flag form refuse the network. The
desktop console exposes a Quick Sync button that runs the same path.