Audit (SBOM)
curie audit emits a CycloneDX 1.6 Software Bill of Materials for your resolved dependency closure and cross-references every component against the OSV vulnerability database, printing any findings grouped by artifact with ANSI-coloured severity.
Running an audit
Auditing my-app v0.1.0 (14 components) Querying OSV 14 components Found 2 vulnerability finding(s) com.example:vulnerable-lib:1.2.0 CRITICAL CVE-2024-12345 Remote code execution via deserialization https://osv.dev/vulnerability/GHSA-xxxx-yyyy-zzzz HIGH CVE-2024-67890 Path traversal in archive extraction https://osv.dev/vulnerability/GHSA-aaaa-bbbb-cccc
Exit code is non-zero when any vulnerabilities are found, making it drop-in ready for CI gates.
SBOM output
Write the SBOM to a file for supply-chain tooling, procurement checklists, or archiving:
Auditing my-app v0.1.0 (14 components)
SBOM written sbom.json (CycloneDX 1.6 JSON)
The SBOM follows the CycloneDX 1.6 JSON schema and includes every resolved component with its group, name, version, and a Package URL (purl) of the form pkg:maven/group/artifact@version.
Severity colours
| Colour | OSV severity |
|---|---|
| Red | CRITICAL |
| Orange | HIGH |
| Yellow | MEDIUM |
| Default | LOW / UNKNOWN |
Flags
| Flag | Effect |
|---|---|
--sbom <path> | Write CycloneDX 1.6 JSON to this file in addition to printing findings |
--full | Print full vulnerability details (IDs, URLs, aliases) — default |
--short | Print a compact one-line-per-finding summary |
--offline | Use cached POM data; still queries OSV over the network |
How it works
- Curie resolves the full transitive closure (same BFS as
curie build). - For each component it constructs a
pkg:maven/group/artifact@versionpurl. - All purls are sent to the OSV batch query API (
POST /v1/querybatch) in a single HTTP call. - Findings are grouped by artifact and sorted by descending severity.
OSV aggregates data from GitHub Advisory Database, NVD, and dozens of other sources. It covers Java/Maven artifacts under the Maven ecosystem key — most CVEs affecting popular libraries are indexed.