Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Speed increase for OSV, GitHub provider work, Documentation Update #249

Merged
merged 8 commits into from
Sep 23, 2024
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
"golang.org/x/vuln/cmd/govulncheck@latest",
"honnef.co/go/tools/cmd/staticcheck@latest"
]
}
},
"ghcr.io/dasiths/devcontainer-features/syft:1": {}
},
"customizations": {
"vscode": {
Expand Down Expand Up @@ -73,7 +74,8 @@
"Github.copilot",
"markis.code-coverage",
"Gruntfuggly.todo-tree",
"esbenp.prettier-vscode"
"esbenp.prettier-vscode",
"Tyriar.luna-paint"
]
}
}
Expand Down
21 changes: 17 additions & 4 deletions .vscode/launch.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,16 @@
"version": "0.2.0",
"configurations": [
{
"name": "Debug File (gad)",
"name": "Debug File (github provider)",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/main.go",
"args": [
"--provider=gad",
"--provider=github",
"--debug=true",
"scan",
"./_TESTDATA_/sbom/small.cyclonedx.json"
"./_TESTDATA_/sbom/merged/sbom_specver1.6.json"
]
},
{
Expand All @@ -27,7 +27,20 @@
"--provider=ossindex",
"--debug=true",
"scan",
"./_TESTDATA_/sbom/small.cyclonedx.json"
"./_TESTDATA_/sbom/jena-kafka-1.4.0-SNAPSHOT-bom.json"
]
},
{
"name": "Debug File (osv)",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/main.go",
"args": [
"--provider=osv",
"--debug=true",
"scan",
"./_TESTDATA_/sbom/jena-kafka-1.4.0-SNAPSHOT-bom.json"
]
},
{
Expand Down
42 changes: 39 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,41 @@ The first thing you're going to want to do is see if any of the components liste

Finding security vulnerabilities and license information for components identified in a SBOM is exactly what `bomber` is meant to do. `bomber` can read any JSON or XML based [CycloneDX](https://cyclonedx.org) format, or a JSON [SPDX](https://spdx.dev) or [Syft](https://github.com/anchore/syft) formatted SBOM, and tell you pretty quickly if there are any vulnerabilities.

## Table of Contents

- [Open vs. Closed Source](#open-vs-closed-source)
- [Purpose](#purpose)
- [Supported SBOM formats](#supported-sbom-formats)
- [Providers](#providers)
- [Provider Support](#provider-support)
- [Provider Documentation](#provider-documentation)
- [Installation](#installation)
- [Mac](#mac)
- [Linux](#linux)
- [Using bomber](#using-bomber)
- [Single SBOM scan](#single-sbom-scan)
- [Entire folder scan](#entire-folder-scan)
- [Output Formats](#output-formats)
- [HTML Output](#html-output)
- [JSON Output](#json-output)
- [Markdown Output](#markdown-output)
- [Ignoring Vulnerabilities](#ignoring-vulnerabilities)
- [Filtering Output](#filtering-output)
- [Data Enrichment](#data-enrichment)
- [Exploit Prediction Scoring System (EPSS)](#exploit-prediction-scoring-system-epss)
- [Advanced stuff](#advanced-stuff)
- [Scanning SBOMs from STDIN](#scanning-sboms-from-stdin)
- [Environment Variables](#environment-variables)
- [Experimental Features](#experimental-features)
- [Highest Severity Return Codes (Experimental)](#highest-severity-return-codes-experimental)
- [OpenAI AI Enriched HTML Report Output](#openai-ai-enriched-html-report-output)
- [Messing around](#messing-around)
- [Notes](#notes)
- [Contributing](#contributing)
- [Software Bill of Materials](#software-bill-of-materials)
- [Sponsors](#sponsors)
- [Credits](#credits)

### Open vs. Closed Source

Software can either be open or closed source. You can look at third party components you'll find in Github, or any public source repository as open source. Technically, the software you create internally at your own company is open source as well - it's not public, but your internal teams can see it. Closed source software can also be internal, but usually this is software that you purchase from external vendors.
Expand All @@ -38,7 +73,7 @@ There are quite a few SBOM formats available today. `bomber` supports the follow

![](img/providers/banner.png)

`bomber` supports multiple sources for vulnerability information. We call these _providers_. Currently, `bomber` uses [OSV](doc/providers/osv.md) as the _default_ provider, but you can also use the [Sonatype OSS Index](doc/providers/ossindex.md), or [Snyk](doc/providers/snyk.md).
`bomber` supports multiple sources for vulnerability information. We call these _providers_. Currently, `bomber` uses [OSV](doc/providers/osv.md) as the _default_ provider, but you can also use the [Github Advisory Database](docs/providers/github.md), the [Sonatype OSS Index](doc/providers/ossindex.md), or [Snyk](doc/providers/snyk.md).

At this time, please note that [OSV](doc/providers/osv.md) is free and does not require any credentials to use, [Sonatype OSS Index](doc/providers/ossindex.md) is free but requires you to register and obtain a token, and [Snyk](doc/providers/snyk.md) support requires a Snyk license.

Expand All @@ -55,6 +90,7 @@ If `bomber` does not find any vulnerabilities, it doesn't mean that there aren't
Provider documentation for `bomber` can be found:

- [OSV](doc/providers/osv.md)
- [GitHub Advisory Database](doc/providers/github.md)
- [OSSINDEX](doc/providers/ossindex.md)
- [Snyk](doc/providers/snyk.md)

Expand Down Expand Up @@ -101,9 +137,9 @@ If the provider finds vulnerabilities you'll see an output similar to the follow

![](img/bomber-example.png)

If the provider doesn't return any vulnerabilities you'll see something like the following:
If the provider doesn't return any vulnerabilities you'll see a message saying no vulnerabilities were found.

![](img/bomber-example-novulns.png)
__NOTE:__ Just because may not have found any vulnerabilities using a specified provider doesn't mean there are no vulnerabilities. Please try the other providers that bomber supports.

### Entire folder scan

Expand Down
1 change: 1 addition & 0 deletions _TESTDATA_/sbom/bomber.cyclonedx.1.6.json

Large diffs are not rendered by default.

Loading
Loading