bomber: Scans Software Bill of Materials (SBOM) for security vulnerabilities
bomber
bomber is an application that scans SBoMs for security vulnerabilities.
Overview
So you’ve asked a vendor for an Software Bill of Materials (SBOM) for one of their products, and they provided one to you in a JSON file… now what?
The first thing you’re going to want to do is to see if any of the components listed inside the SBOM have security vulnerabilities. This will help you identify what kind of risk you will be taking on by using the product. Finding security vulnerabilities for components identified in an SBOM is exactly what bomber is meant to do. It can read any JSON-based SPDX, CycloneDX, or Syft formatted SBOM and tell you pretty quickly if there are any vulnerabilities.
Powered by the Sonatype OSS Index, bomber can tell you what the component is used for, how many vulnerabilities it has, and what they are.
All you need is to download and install bomber and get yourself a free account for accessing the Sonatype OSS Index.
What SBOM formats are supported?
There are quite a few SBOM formats available today. bomber supports the following:
What ecosystems are supported?
Since bomber uses the Sonatype OSS Index, it will give results for the ecosystems that it supports. At this time, the following can be scanned with bomber
- Maven
- NPM
- Go
- PyPi
- Nuget
- RubyGems
- Cargo
- CocoaPods
- Composer
- Conan
- Conda
- CRAN
- RPM
- Swift
Use
You can scan either an entire folder of SBOMs or an individual SBOM with bomber. bomber doesn’t care if you have multiple formats in a single folder. It’ll sort everything out for you.
Single SBOM scan
bomber scan --username=xxx --token=xxx spdx-sbom.json
If there are vulnerabilities you’ll see an output similar to the following:
If the Sonatype OSS Index doesn’t return any vulnerabilities you’ll see something like the following:
Entire folder scan
This is good for when you receive multiple SBOMs from a vendor for the same product. Or, maybe you want to find out what vulnerabilities you have in your entire organization. A folder scan will find all components, de-duplicate them, and then scan them for vulnerabilities.
# scan a folder of SBOMs (the following command will scan a folder in your current folder named “sboms”) bomber scan –username=xxx –token=xxx ./sboms
You’ll see a similar result to what a Single SBOM scan will provide.
Advanced stuff
If you wish, you can set two environment variables to store your credentials, and not have to type them on the command line. Check out the Environment Variables information later in this README.
