Subsystem · audit

Audit (SBOM)

curie audit emits a CycloneDX 1.6 Software Bill of Materials for your resolved dependency closure and cross-references every component against the OSV vulnerability database, printing any findings grouped by artifact with ANSI-coloured severity.

Running an audit

$ curie audit
Auditing my-app v0.1.0 (14 components)
  Querying OSV    14 components
  Found           2 vulnerability finding(s)

com.example:vulnerable-lib:1.2.0
  CRITICAL  CVE-2024-12345  Remote code execution via deserialization
             https://osv.dev/vulnerability/GHSA-xxxx-yyyy-zzzz
  HIGH      CVE-2024-67890  Path traversal in archive extraction
             https://osv.dev/vulnerability/GHSA-aaaa-bbbb-cccc

Exit code is non-zero when any vulnerabilities are found, making it drop-in ready for CI gates.

SBOM output

Write the SBOM to a file for supply-chain tooling, procurement checklists, or archiving:

$ curie audit --sbom sbom.json
Auditing my-app v0.1.0 (14 components)
  SBOM written    sbom.json  (CycloneDX 1.6 JSON)

The SBOM follows the CycloneDX 1.6 JSON schema and includes every resolved component with its group, name, version, and a Package URL (purl) of the form pkg:maven/group/artifact@version.

Severity colours

ColourOSV severity
RedCRITICAL
OrangeHIGH
YellowMEDIUM
DefaultLOW / UNKNOWN

Flags

FlagEffect
--sbom <path>Write CycloneDX 1.6 JSON to this file in addition to printing findings
--fullPrint full vulnerability details (IDs, URLs, aliases) — default
--shortPrint a compact one-line-per-finding summary
--offlineUse cached POM data; still queries OSV over the network

How it works

  1. Curie resolves the full transitive closure (same BFS as curie build).
  2. For each component it constructs a pkg:maven/group/artifact@version purl.
  3. All purls are sent to the OSV batch query API (POST /v1/querybatch) in a single HTTP call.
  4. Findings are grouped by artifact and sorted by descending severity.
OSV aggregates data from GitHub Advisory Database, NVD, and dozens of other sources. It covers Java/Maven artifacts under the Maven ecosystem key — most CVEs affecting popular libraries are indexed.