Bomber not correctly detecting versions from CycloneDX BOM resulting in false positives

[rvesse]

We're generating SBOMs using the Maven CycloneDX plugin in our projects, one of our developers was using bomber for vulnerability scans and had several false positives reported because bomber does not appear to be detecting the version information despite it being present in the SBOM

Sample SBOM: jena-kafka-1.4.0-SNAPSHOT-bom.json

This is from repository https://github.com/telicent-oss/jena-fuseki-kafka

Bomber output:

$ 
�[37;1m ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄�[0m
�[37;1m █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄�[0m

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.5.0

�[34m■ �[0mScanning Files:
	target/jena-kafka-1.4.0-SNAPSHOT-bom.json
�[34m■ �[0mEcosystems detected: maven
�[34m■ �[0mScanning 79 packages for vulnerabilities...
�[34m■ �[0mVulnerability Provider: OSV Vulnerability Database (https://osv.dev) 

�[34m■ �[0mFiles Scanned
	target/jena-kafka-1.4.0-SNAPSHOT-bom.json (sha256:60838e3b0079a5925af4e2053ba53d28a40039a867f32539b2f67cfdfc445ec8)

�[34m■ �[0mLicenses Found: Apache-2.0, BSD-2-Clause, MIT, EPL-2.0, GPL-2.0-with-classpath-exception, CC0-1.0, BSD-3-Clause

╭───────┬──────────────────────┬─────────┬──────────┬────────────────┬────────╮
│ TYPE  │ NAME                 │ VERSION │ SEVERITY │ VULNERABILITY  │ EPSS % │
├───────┼──────────────────────┼─────────┼──────────┼────────────────┼────────┤
│ maven │ snappy-java          │         │ MODERATE │ CVE-2023-34454 │ N/A    │
│       │                      ├─────────┼──────────┼────────────────┼────────┤
│       │                      │         │ MODERATE │ CVE-2023-34453 │ N/A    │
│       │                      ├─────────┼──────────┼────────────────┼────────┤
│       │                      │         │ HIGH     │ CVE-2023-43642 │ N/A    │
│       │                      ├─────────┼──────────┼────────────────┼────────┤
│       │                      │         │ HIGH     │ CVE-2023-34455 │ N/A    │
│       ├──────────────────────┼─────────┼──────────┼────────────────┼────────┤
│       │ commons-collections4 │         │ HIGH     │ CVE-2015-6420  │ N/A    │
│       │                      ├─────────┼──────────┼────────────────┼────────┤
│       │                      │         │ CRITICAL │ CVE-2015-7501  │ N/A    │
╰───────┴──────────────────────┴─────────┴──────────┴────────────────┴────────╯

�[31mTotal vulnerabilities found: 6
�[0m
╭──────────┬───────╮
│ RATING   │ COUNT │
├──────────┼───────┤
│ CRITICAL │     1 │
├──────────┼───────┤
│ HIGH     │     3 │
├──────────┼───────┤
│ MODERATE │     2 │
╰──────────┴───────╯


NOTES:

1. The list of vulnerabilities displayed may differ from provider to provider. This list
   may not contain all possible vulnerabilities. Please try the other providers that bomber
   supports (osv, ossindex, snyk)
2. EPSS Percentage indicates the % chance that the vulnerability will be exploited. This
   value will assist in prioritizing remediation. For more information on EPSS, refer to
   https://www.first.org/epss/
3. An EPSS Percentage showing as N/A means that no EPSS data was available for the vulnerability
   or the --enrich=epss flag was not set when running bomber

Note that the VERSION column is empty, doing a mvn dependency:tree and grep`ing the dependencies in question show all are using up to date versions that are not vulnerable. Inspecting the SBOM manually shows that it does include the correct version for each dependency so not sure why Bomber isn't detecting this.

[djschleen]

I'll take a look!

[djschleen]

Fixed the versioning... there looks like no vulnerabilities in that SBOM (as of now - I scanned using OSV and OSSINDEX)