Scan command

Scans a CycloneDX SBOM or a Delphi project for known vulnerabilities. The command reads (or generates) a CycloneDX SBOM, queries the Open Source Vulnerabilities database, and writes a CycloneDX 1.5 VEX report next to the input.

OSV responses are cached under %APPDATA%\.dpm\vuln-cache for 24 hours. Use -fail-on to make the command exit non-zero in CI when a vulnerability above a chosen severity is found.

Usage

bat

dpm scan <sbom-or-project> [options]

The input is either a CycloneDX SBOM .json file or a .dproj / .groupproj . When given a project, scan generates an SBOM internally and then scans it.

Options

Option	Description
output (-o)	Output `.vex.json` path. File path when the input is an SBOM, directory when it is a project. Defaults: `<input>.vex.json` , or per-platform files in the project folder.
source (-s)	Vulnerability database. Only `osv` is supported. Default: `osv` .
fail-on	Exit code 1 if any vulnerability of this severity (or higher) is found. Accepted: `none` , `low` , `medium` , `high` , `critical` . Default: `none` .
no-cache	Bypass the 24h response cache for this run. Fresh responses are still written back to the cache.
platforms (-p)	Comma-separated platforms to scan. Only used when the input is a project. Default: all enabled.

Examples

bat

dpm scan MyProject.cdx.json

dpm scan MyProject.cdx.json -fail-on=high

dpm scan MyProject.dproj -platforms=Win32,Win64

dpm scan MySolution.groupproj -output=c:\reports

dpm scan MyProject.cdx.json -no-cache