devops-kung-fu / bomber Goto Github PK
View Code? Open in Web Editor NEWScans Software Bill of Materials (SBOMs) for security vulnerabilities
License: Mozilla Public License 2.0
Scans Software Bill of Materials (SBOMs) for security vulnerabilities
License: Mozilla Public License 2.0
Some vulnerability providers use markdown in their descriptions. Bomber should render these so they output in a clean way in HTML output.
bomber needs to support https://osv.dev
It would be great to use bomber
with providers other than OSSIndex. Implement an architecture to support multiple providers (such as Snyk).
The output of bomber
should also include vulnerability information and severity.
Snyk developed a provider and piping functionality. Need to call them out with some mad props.
The removeDuplicates function is handy and we can use it elsewhere in DKFM. Extract it from here, move it to DKFM Common (needs to be uppercased there), and wire bomber to use the new common version
Bomber isn't a SCA tool, but can appear to be one. Add some more information to the documentation to discuss closed source software, and Software Bill of Materials (including info on executive orders)
When invalid credentials are passed to the ossindex provider, bomber
doesn't error out gracefully, in fact, it says there are no vulnerabilities.
I tried to integrate bomber into a CI pipeline and got the following output when running it:
qt.qpa.xcb: could not connect to display
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.
I ran
bomber scan sbom.json --output=json
The same issue appeared when specifying the output to be HTML. Yet when previously testing the tool via an SSH connection manually I did not encounter any type of issue and the report was generated for all supported types of outputs. The machine I used for testing had the same hardware available.
Do you have any idea what's causing this issue?
Add a section in the output of bomber that summarizes license information.
Hey, I followed the readme.md
and downloaded the .deb. The .deb installs a binary with the name hookz
instead of bomber
. Is this a PEBKAC thing, is the install guide is missing a step, or is it a packaging oopsie?
bomber
I want to follow the usage and issue commands for a bomber
executable. No executables by that name though...
hookz
The deb contains hookz
$ dpkg-deb -c bomber_0.1.1_linux_arm64.deb
drwxr-xr-x root/root 0 2022-08-25 11:21 ./usr/
drwxr-xr-x root/root 0 2022-08-25 11:21 ./usr/bin/
-rwxr-xr-x root/root 6881280 2022-08-25 11:21 ./usr/bin/hookz
This binary acts like it is bomber.
$ /usr/bin/hookz --version
bomber version 0.1.1
$ /usr/bin/hookz
Scans SBoMs for security vulnerabilities.
Usage:
bomber [command]
Examples:
bomber test.spdx
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
scan Scans a provided SBoM file or folder containing SBoMs for vulnerabilities.
Flags:
--debug Displays debug level log messages.
-h, --help help for bomber
-v, --verbose Displays command line output. (default true)
--version version for bomber
Use "bomber [command] --help" for more information about a command.
$ /usr/bin/hookz scan
██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
█▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄
DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.1.1
Both a username and token are required
Scans a provided SBoM file or folder containing SBoMs for vulnerabilities.
Usage:
bomber scan [flags]
Flags:
-h, --help help for scan
--token string The API token of the provider being used.
--username string The user name of the provider being used.
Global Flags:
--debug Displays debug level log messages.
-v, --verbose Displays command line output. (default true)
I noticed the binary name of hookz
on this file, in case it helps:
Line 5 in bd67455
An EPSS scoring alongside the NVD data would help contextualize the risk(s) presented in an SBOM.
Example sorting. Can we make this generic?
func SortASC(products []entities.Product) {
sort.Slice(products, func(i, j int) bool {
return products[i].Price < products[j].Price
})
}
Using the following SBOM https://gist.github.com/garethr/ab5e882cd23f8e7d4578466de71cf0a9#file-compressed-json
Which is a valid CycloneDX document
cyclonedx validate --input-file compressed.json
BOM validated successfully.
Using bomber build from source, from latest head (19aa8ec)
Bomber fails to scan.
./bomber scan --debug compressed.json
2022/09/29 05:20:09 Start
██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
█▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄
DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.3.2
2022/09/29 05:20:10 Reading: sbom.json
2022/09/29 05:20:10 WARNING: sbom.json isn't a valid SBOM
■ sbom.json is not an SBOM recognized by bomber
However, taking the same document and passing it through jq
works fine.
Testing with https://gist.github.com/garethr/ab5e882cd23f8e7d4578466de71cf0a9#file-uncompressed-json
./bomber scan uncompressed.json
██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
█▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄
DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.3.2
■ Ecosystems detected: maven
■ Scanning 81 packages for vulnerabilities...
■ Vulnerability Provider: OSV Vulnerability Database (https://osv.dev)
/ Fetching vulnerability data from osv
Checking the two files using https://www.jsondiff.com/ says they are semantically the same.
Just paste the following URLs into each box:
I think tried the reverse. Taking the sbom/bomber.cyclonedx.json
document from the source and minifying it with https://codebeautify.org/jsonminifier.
This results in https://gist.github.com/garethr/ab5e882cd23f8e7d4578466de71cf0a9#file-sbom_bomber-compressed-cyclonedx-json
I can confirm this then fails in Bomber.
bomber scan sbom/bomber.compressed.cyclonedx.json
██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
█▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄
DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.3.2
■ sbom/bomber.compressed.cyclonedx.json is not an SBOM recognized by bomber
@djschleen @juliojimenez This may be of interest to you guys: I have just launched https://public.vulnerablecode.io/
VulnerableCode is an open source vulnerability database (code at https://github.com/nexb/vulnerablecode ) that is keyed by package-url/purl like OSSindex (that has also adopted the purl spec that I created originally for ScanCode and VulnerableCode) . It is the only open source code and open data correlated and aggregated vulnerability database I know of. Some of its code is reused by Google OSV.
You can run a full instance of VulnerableCode independently or use the public service as you prefer. We provide seed data to speed up offline install and usage. And we started to publish a new mapping of legacy CPE to purl at https://github.com/nexB/vulnerablecode-purl2cpe
It has a new, experimental vulntotal total tool: aboutcode-org/vulnerablecode#801 ... like virustotal but for vulnerability databases comparison and it can compare the results of a purl query to VulnerableCode, OSSIndex, Snyk, Google, OSV, GitHub and GitLab at once and tells you which DB reports which vulnerability or not! which is pretty interesting.
Like a live benchmark.
So far, VulnerableCode is not doing too bad and holding its own against the proprietary databases! Because of the terms of services of each of these proprietary databases, the tool is not hostable centrally and you need to run the CLI locally. The input is a purl.
In addition, purldb is a new companion database of all the purls at https://github.com/nexB/purldb/ that can come handy for lookup and validation.
Both are extensively based on and use package-url/purl (I created and co-lead https://github.com/package-url/purl-spec and libraries FWIW).
So in a nutshell, these goodies may be of some interest for you to check out. And if you find them not too shabby, and you care to reuse some of them, ping me if I can help you out and I will.
Severity counts are displaying incorrectly because of a string mismatch with medium and moderate severity strings.
Are there any plans to support offline functionality for air-gapped environments?
SPDX files aren't being recognized by bomber
All rendering functionality is in the scan.go file which should be simply a command. The logic needs to be extracted to a separate package.
When bomber launches, it should check to see if there is a new version
Some providers don't come back with a Severity or CVSS score for some of the vulnerabilities. In this case, put Unspecified as the severity.
Before sending any data to a vulnerability provider, bomber
should output an info message showing all of the ecosystems that will be scanned.
You don't need brew to install for a mac, and you can use the deb or rpm to easily install on Linux. Reflect these in the documentation.
If no valid SBOM formats are found when scanning don't output that no vulnerabilities were found, output that no valid SBOMs were detected.
Need a simple little webpage for
https://bomber.dkfm.io
Remove "Remember that this is a go module, so there is no entry point. You can execute any test function though in your preferred IDE."
Large SBOMs produce a ton of PURLs. Some providers (ex: OSV) have batch endpoints that don't work. Snyk at this time can only return one response at a time. This results in scanning that may take a bit of time.
Put a fancy progress indicator in the CLI
There are many parts of the SPDX spec that we don't use. Where possible remove the fields from the SPDX structs so that any changes to their structure will be easier to manage.
bomber
should work on Windows, but needs to be tested. In addition we should allow installation using Chocolaty
Create unit tests for logic to increase code coverage.
All that is needed here is to create a go environment on Windows, and ensure you can build and run bomber
The documentation for contributing to the repository needs to be a little clearer. Also, the license for bomber
isn't MIT and needs to be corrected.
Bomber already works on Windows, so we should release a binary on build.
There are many parts of the Syft that we don't use. Where possible remove the fields from the Syft structs so that any changes to their structure will be easier to manage.
Is it possible to display the CVE ID in the output?
For example, in the example images it shows output including a vulnerable underscore package version 1.7.0 from the npm repo. I believe this should be CVE-2021-23358, but it would be fantastic to have this in the output.
I'm seeing some cases where bomber
doesn't appear to be performing a vulnerability scan on the supplied SBOM, but it still reports "no vulnerabilities found" and exits 0. I'd recommend paying careful attention when reporting "no vulnerabilities found" to users, to avoid creating a false sense of security and eroding trust in the tool.
I installed bomber
using the Homebrew instructions on the README. And here I'm using Syft version 0.54.0.
$ syft -q ubuntu:latest -o 'spdx-json=./ubuntu.spdx.json'
$ env | grep 'BOMBER'
BOMBER_PROVIDER_USERNAME=<redacted>
BOMBER_PROVIDER_TOKEN=<redacted>
$ bomber scan ./ubuntu.spdx.json
██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
█▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄
DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.0.1
Uses vulnerability information provided by the Sonatype OSS Index
https://ossindex.sonatype.org
■ Scanning 0 packages for vulnerabilities...
No vulnerabilities found!
■ Done
$ echo $?
0
In contrast, when I use Grype, it scans the SBOM for vulnerabilities correctly:
$ grype -q ./ubuntu.spdx.json
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
coreutils 8.32-4.1ubuntu1 deb CVE-2016-2781 Low
libc-bin 2.35-0ubuntu3.1 deb CVE-2016-20013 Negligible
libc6 2.35-0ubuntu3.1 deb CVE-2016-20013 Negligible
libgmp10 2:6.2.1+dfsg-3ubuntu1 deb CVE-2021-43618 Low
libgnutls30 3.7.3-4ubuntu1 3.7.3-4ubuntu1.1 deb CVE-2022-2509 Medium
libncurses6 6.3-2 deb CVE-2022-29458 Negligible
libncursesw6 6.3-2 deb CVE-2022-29458 Negligible
libpcre2-8-0 10.39-3build1 deb CVE-2022-1586 Low
libpcre2-8-0 10.39-3build1 deb CVE-2022-1587 Low
libpcre3 2:8.39-13ubuntu0.22.04.1 deb CVE-2017-11164 Negligible
libtinfo6 6.3-2 deb CVE-2022-29458 Negligible
login 1:4.8.1-2ubuntu2 deb CVE-2013-4235 Low
ncurses-base 6.3-2 deb CVE-2022-29458 Negligible
ncurses-bin 6.3-2 deb CVE-2022-29458 Negligible
passwd 1:4.8.1-2ubuntu2 deb CVE-2013-4235 Low
perl-base 5.34.0-3ubuntu1 deb CVE-2020-16156 Medium
tar 1.34+dfsg-1build3 deb CVE-2019-9923 Low
zlib1g 1:1.2.11.dfsg-2ubuntu9 deb CVE-2022-37434 Medium
https://osv.dev should be the default scanning provider for bomber. This will allow bomber to scan right out of the box with no additional provider credentials or third party accounts needing to be created.
Support an output format for SARIF to leverage the Security tab on repos and let GitHub ingest the data. https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
That link contains file format examples for SARIF-flavored json. There's a schema validator https://sarifweb.azurewebsites.net/ as well.
Similar to #8, but add an output flag to bomber to save detailed output to a JSON file.
I'm interested in using this from CI/CD and would appreciate a JSON file for automated consumption. Thank you.
Add an output flag to bomber
to save detailed output to a PDF or HTML file.
Would like to add the ability to scan build.sbt files for vulnerabilities.
Could we add a new command like "bomber convert", which would use something like syft to convert the file into CycloneDX format. And then we could run "bomber scan" on the newly created file and boom!
The results struct should contain a map of filename and SHA256 hash of the files processed by bomber
. This section should be added to both the STDOUT and HTML output types. (JSON output will already include it)
If you leave out the username
and token
arguments, and they are not set in an environment variable, bomber will not complain, but will process all SBOMs and return with a "No vulnerabilities found" message.
To leverage this in CI/CD, it would be helpful to have a summary table with a subtotal of each severity rating category. I would like to "break the build" if there are High or Critical findings and pass the build with warnings if there are Lows or Mediums (just an example). I would really benefit if this tool could provide the summary table for me.
Source: https://www.first.org/cvss/specification-document#Qualitative-Severity-Rating-Scale
Table 14: Qualitative severity rating scale
Rating | CVSS Score |
---|---|
None | 0.0 |
Low | 0.1 - 3.9 |
Medium | 4.0 - 6.9 |
High | 7.0 - 8.9 |
Critical | 9.0 - 10.0 |
Instead of just saying "Vulnerabilities found: 13" below, maybe also include a breakdown underneath it
Rating | Count |
---|---|
None | 0 |
Low | 2 |
Medium | 3 |
High | 7 |
Critical | 1 |
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.