devops-kung-fu / bomber Goto Github PK

Some vulnerability providers use markdown in their descriptions. Bomber should render these so they output in a clean way in HTML output.

bomber needs to support https://osv.dev

It would be great to use bomber with providers other than OSSIndex. Implement an architecture to support multiple providers (such as Snyk).

The output of bomber should also include vulnerability information and severity.

Snyk developed a provider and piping functionality. Need to call them out with some mad props.

The removeDuplicates function is handy and we can use it elsewhere in DKFM. Extract it from here, move it to DKFM Common (needs to be uppercased there), and wire bomber to use the new common version

Bomber isn't a SCA tool, but can appear to be one. Add some more information to the documentation to discuss closed source software, and Software Bill of Materials (including info on executive orders)

When invalid credentials are passed to the ossindex provider, bomber doesn't error out gracefully, in fact, it says there are no vulnerabilities.

• Inform the user that there were errors if a request fails
• Don't keep hammering the remote endpoints if requests are failing

I tried to integrate bomber into a CI pipeline and got the following output when running it:

qt.qpa.xcb: could not connect to display 
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.

I ran

bomber scan sbom.json --output=json

The same issue appeared when specifying the output to be HTML. Yet when previously testing the tool via an SSH connection manually I did not encounter any type of issue and the report was generated for all supported types of outputs. The machine I used for testing had the same hardware available.

Do you have any idea what's causing this issue?

Add a section in the output of bomber that summarizes license information.

• Add --license as a flag to include license information.
• if no license info is found, indicate in the summary
• Include details on the HTML report
• Add a summary section to the JSON output
• Summarize in the command line output

Hey, I followed the readme.md and downloaded the .deb. The .deb installs a binary with the name hookz instead of bomber. Is this a PEBKAC thing, is the install guide is missing a step, or is it a packaging oopsie?

Expected bomber

I want to follow the usage and issue commands for a bomber executable. No executables by that name though...

Actual hookz

The deb contains hookz

$ dpkg-deb -c bomber_0.1.1_linux_arm64.deb 
drwxr-xr-x root/root         0 2022-08-25 11:21 ./usr/
drwxr-xr-x root/root         0 2022-08-25 11:21 ./usr/bin/
-rwxr-xr-x root/root   6881280 2022-08-25 11:21 ./usr/bin/hookz

This binary acts like it is bomber.

$ /usr/bin/hookz --version
bomber version 0.1.1


$ /usr/bin/hookz 
Scans SBoMs for security vulnerabilities.

Usage:
  bomber [command]

Examples:
  bomber test.spdx

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  scan        Scans a provided SBoM file or folder containing SBoMs for vulnerabilities.

Flags:
      --debug     Displays debug level log messages.
  -h, --help      help for bomber
  -v, --verbose   Displays command line output. (default true)
      --version   version for bomber

Use "bomber [command] --help" for more information about a command.

$ /usr/bin/hookz scan 

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.1.1

Both a username and token are required

Scans a provided SBoM file or folder containing SBoMs for vulnerabilities.

Usage:
  bomber scan [flags]

Flags:
  -h, --help              help for scan
      --token string      The API token of the provider being used.
      --username string   The user name of the provider being used.

Global Flags:
      --debug     Displays debug level log messages.
  -v, --verbose   Displays command line output. (default true)

I noticed the binary name of hookz on this file, in case it helps:

An EPSS scoring alongside the NVD data would help contextualize the risk(s) presented in an SBOM.

Example sorting. Can we make this generic?

func SortASC(products []entities.Product) {
sort.Slice(products, func(i, j int) bool {
return products[i].Price < products[j].Price
})
}

Using the following SBOM https://gist.github.com/garethr/ab5e882cd23f8e7d4578466de71cf0a9#file-compressed-json

Which is a valid CycloneDX document

cyclonedx validate --input-file compressed.json
BOM validated successfully.

Using bomber build from source, from latest head (19aa8ec)

Bomber fails to scan.

./bomber scan --debug compressed.json
2022/09/29 05:20:09 Start

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.3.2

2022/09/29 05:20:10 Reading: sbom.json
2022/09/29 05:20:10 WARNING: sbom.json isn't a valid SBOM
■ sbom.json is not an SBOM recognized by bomber

However, taking the same document and passing it through jq works fine.

Testing with https://gist.github.com/garethr/ab5e882cd23f8e7d4578466de71cf0a9#file-uncompressed-json

./bomber scan uncompressed.json

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.3.2

■ Ecosystems detected: maven
■ Scanning 81 packages for vulnerabilities...
■ Vulnerability Provider: OSV Vulnerability Database (https://osv.dev)

/ Fetching vulnerability data from osv

Checking the two files using https://www.jsondiff.com/ says they are semantically the same.

Just paste the following URLs into each box:

• https://gist.githubusercontent.com/garethr/ab5e882cd23f8e7d4578466de71cf0a9/raw/23492a514c6218a50f99bf97f07adbbcd26
  6546c/compressed.json
• https://gist.githubusercontent.com/garethr/ab5e882cd23f8e7d4578466de71cf0a9/raw/23492a514c6218a50f99bf97f07adbbcd266546c/uncompressed.json

I think tried the reverse. Taking the sbom/bomber.cyclonedx.json document from the source and minifying it with https://codebeautify.org/jsonminifier.

This results in https://gist.github.com/garethr/ab5e882cd23f8e7d4578466de71cf0a9#file-sbom_bomber-compressed-cyclonedx-json

I can confirm this then fails in Bomber.

bomber scan sbom/bomber.compressed.cyclonedx.json

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.3.2

■ sbom/bomber.compressed.cyclonedx.json is not an SBOM recognized by bomber

@djschleen @juliojimenez This may be of interest to you guys: I have just launched https://public.vulnerablecode.io/

VulnerableCode is an open source vulnerability database (code at https://github.com/nexb/vulnerablecode ) that is keyed by package-url/purl like OSSindex (that has also adopted the purl spec that I created originally for ScanCode and VulnerableCode) . It is the only open source code and open data correlated and aggregated vulnerability database I know of. Some of its code is reused by Google OSV.

You can run a full instance of VulnerableCode independently or use the public service as you prefer. We provide seed data to speed up offline install and usage. And we started to publish a new mapping of legacy CPE to purl at https://github.com/nexB/vulnerablecode-purl2cpe

It has a new, experimental vulntotal total tool: aboutcode-org/vulnerablecode#801 ... like virustotal but for vulnerability databases comparison and it can compare the results of a purl query to VulnerableCode, OSSIndex, Snyk, Google, OSV, GitHub and GitLab at once and tells you which DB reports which vulnerability or not! which is pretty interesting.
Like a live benchmark.
So far, VulnerableCode is not doing too bad and holding its own against the proprietary databases! Because of the terms of services of each of these proprietary databases, the tool is not hostable centrally and you need to run the CLI locally. The input is a purl.

In addition, purldb is a new companion database of all the purls at https://github.com/nexB/purldb/ that can come handy for lookup and validation.

Both are extensively based on and use package-url/purl (I created and co-lead https://github.com/package-url/purl-spec and libraries FWIW).

So in a nutshell, these goodies may be of some interest for you to check out. And if you find them not too shabby, and you care to reuse some of them, ping me if I can help you out and I will.

Severity counts are displaying incorrectly because of a string mismatch with medium and moderate severity strings.

Are there any plans to support offline functionality for air-gapped environments?

SPDX files aren't being recognized by bomber

All rendering functionality is in the scan.go file which should be simply a command. The logic needs to be extracted to a separate package.

When bomber launches, it should check to see if there is a new version

Some providers don't come back with a Severity or CVSS score for some of the vulnerabilities. In this case, put Unspecified as the severity.

Before sending any data to a vulnerability provider, bomber should output an info message showing all of the ecosystems that will be scanned.

You don't need brew to install for a mac, and you can use the deb or rpm to easily install on Linux. Reflect these in the documentation.

If no valid SBOM formats are found when scanning don't output that no vulnerabilities were found, output that no valid SBOMs were detected.

Need a simple little webpage for
https://bomber.dkfm.io

Remove "Remember that this is a go module, so there is no entry point. You can execute any test function though in your preferred IDE."

Large SBOMs produce a ton of PURLs. Some providers (ex: OSV) have batch endpoints that don't work. Snyk at this time can only return one response at a time. This results in scanning that may take a bit of time.

Put a fancy progress indicator in the CLI

There are many parts of the SPDX spec that we don't use. Where possible remove the fields from the SPDX structs so that any changes to their structure will be easier to manage.

bomber should work on Windows, but needs to be tested. In addition we should allow installation using Chocolaty

Create unit tests for logic to increase code coverage.

All that is needed here is to create a go environment on Windows, and ensure you can build and run bomber

The documentation for contributing to the repository needs to be a little clearer. Also, the license for bomber isn't MIT and needs to be corrected.

Bomber already works on Windows, so we should release a binary on build.

There are many parts of the Syft that we don't use. Where possible remove the fields from the Syft structs so that any changes to their structure will be easier to manage.

Is it possible to display the CVE ID in the output?

For example, in the example images it shows output including a vulnerable underscore package version 1.7.0 from the npm repo. I believe this should be CVE-2021-23358, but it would be fantastic to have this in the output.

• underscore 1.7.0 - https://ossindex.sonatype.org/vulnerability/CVE-2021-23358?component-type=npm&component-name=underscore

I'm seeing some cases where bomber doesn't appear to be performing a vulnerability scan on the supplied SBOM, but it still reports "no vulnerabilities found" and exits 0. I'd recommend paying careful attention when reporting "no vulnerabilities found" to users, to avoid creating a false sense of security and eroding trust in the tool.

I installed bomber using the Homebrew instructions on the README. And here I'm using Syft version 0.54.0.

$ syft -q ubuntu:latest -o 'spdx-json=./ubuntu.spdx.json'
$ env | grep 'BOMBER'
BOMBER_PROVIDER_USERNAME=<redacted>
BOMBER_PROVIDER_TOKEN=<redacted>
$ bomber scan ./ubuntu.spdx.json

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.0.1

Uses vulnerability information provided by the Sonatype OSS Index
https://ossindex.sonatype.org

■ Scanning 0 packages for vulnerabilities...

No vulnerabilities found!

■ Done
$ echo $?
0

In contrast, when I use Grype, it scans the SBOM for vulnerabilities correctly:

$ grype -q ./ubuntu.spdx.json
NAME          INSTALLED                 FIXED-IN          TYPE  VULNERABILITY   SEVERITY
coreutils     8.32-4.1ubuntu1                             deb   CVE-2016-2781   Low
libc-bin      2.35-0ubuntu3.1                             deb   CVE-2016-20013  Negligible
libc6         2.35-0ubuntu3.1                             deb   CVE-2016-20013  Negligible
libgmp10      2:6.2.1+dfsg-3ubuntu1                       deb   CVE-2021-43618  Low
libgnutls30   3.7.3-4ubuntu1            3.7.3-4ubuntu1.1  deb   CVE-2022-2509   Medium
libncurses6   6.3-2                                       deb   CVE-2022-29458  Negligible
libncursesw6  6.3-2                                       deb   CVE-2022-29458  Negligible
libpcre2-8-0  10.39-3build1                               deb   CVE-2022-1586   Low
libpcre2-8-0  10.39-3build1                               deb   CVE-2022-1587   Low
libpcre3      2:8.39-13ubuntu0.22.04.1                    deb   CVE-2017-11164  Negligible
libtinfo6     6.3-2                                       deb   CVE-2022-29458  Negligible
login         1:4.8.1-2ubuntu2                            deb   CVE-2013-4235   Low
ncurses-base  6.3-2                                       deb   CVE-2022-29458  Negligible
ncurses-bin   6.3-2                                       deb   CVE-2022-29458  Negligible
passwd        1:4.8.1-2ubuntu2                            deb   CVE-2013-4235   Low
perl-base     5.34.0-3ubuntu1                             deb   CVE-2020-16156  Medium
tar           1.34+dfsg-1build3                           deb   CVE-2019-9923   Low
zlib1g        1:1.2.11.dfsg-2ubuntu9                      deb   CVE-2022-37434  Medium

https://osv.dev should be the default scanning provider for bomber. This will allow bomber to scan right out of the box with no additional provider credentials or third party accounts needing to be created.

Support an output format for SARIF to leverage the Security tab on repos and let GitHub ingest the data. https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning

That link contains file format examples for SARIF-flavored json. There's a schema validator https://sarifweb.azurewebsites.net/ as well.

Similar to #8, but add an output flag to bomber to save detailed output to a JSON file.

I'm interested in using this from CI/CD and would appreciate a JSON file for automated consumption. Thank you.

Add an output flag to bomber to save detailed output to a PDF or HTML file.

Would like to add the ability to scan build.sbt files for vulnerabilities.

Could we add a new command like "bomber convert", which would use something like syft to convert the file into CycloneDX format. And then we could run "bomber scan" on the newly created file and boom!

The results struct should contain a map of filename and SHA256 hash of the files processed by bomber. This section should be added to both the STDOUT and HTML output types. (JSON output will already include it)

If you leave out the username and token arguments, and they are not set in an environment variable, bomber will not complain, but will process all SBOMs and return with a "No vulnerabilities found" message.

To leverage this in CI/CD, it would be helpful to have a summary table with a subtotal of each severity rating category. I would like to "break the build" if there are High or Critical findings and pass the build with warnings if there are Lows or Mediums (just an example). I would really benefit if this tool could provide the summary table for me.

Source: https://www.first.org/cvss/specification-document#Qualitative-Severity-Rating-Scale

Table 14: Qualitative severity rating scale

Example

Instead of just saying "Vulnerabilities found: 13" below, maybe also include a breakdown underneath it