README
¶
bomber
bomber is an application that scans SBoMs for security vulnerabilities.
Overview
So you've asked a vendor for an Software Bill of Materials (SBOM) for one of their products, and they provided one to you in a JSON file... now what?
The first thing you're going to want to do is see if any of the components listed inside the SBOM have security vulnerabilities. This will help you identify what kind of risk you will be taking on by using the product. Finding security vulnerabilities for components identified in an SBOM is exactly what bomber is meant to do. It can read any JSON based SPDX, CycloneDX, or Syft formatted SBOM and tell you pretty quickly if there are any vulnerabilities.
Powered by the Sonatype OSS Index, bomber can tell you what the component is used for, how many vulnerabilities it has, and what they are.
All you need is to download and install bomber and get yourself a free account for accessing the Sonatype OSS Index.
What SBOM formats are supported?
There are quite a few SBOM formats available today. bomber supports the following:
What ecosystems are supported?
Since bomber uses the Sonatype OSS Index, it will give results for the ecosystems that it supports. At this time, the following can be scanned with bomber
- Maven
- NPM
- Go
- PyPi
- Nuget
- RubyGems
- Cargo
- CocoaPods
- Composer
- Conan
- Conda
- CRAN
- RPM
- Swift
Prerequisites
In order to use bomber you need to get an account for the Sonatype OSS Index. Head over to the site, and create a free account, and make note of your username (this will be the email that you registered with).
Once you log in, you'll want to navigate to your settings and make note of your API token. **Please don't share your token with anyone. **
Installation
Mac
You can use Homebrew to install bomber using the following:
brew tap devops-kung-fu/homebrew-tap
brew install devops-kung-fu/homebrew-tap/bomber
Linux
To install bomber, download the latest release, extract the binary from the compressed file, make is executable, rename it to bomber and toss it in your /usr/local/bin directory for Linux, or on your path for other operating systems.
Using bomber
Now that we've installed bomber and have our username and token from the Sonatype OSS Index, we can scan an SBOM for vulnerabilities.
You can scan either an entire folder of SBOMs or an individual SBOM with bomber. bomber doesn't care if you have multiple formats in a single folder. It'll sort everything out for you.
Single SBOM scan
bomber scan --username=xxx --token=xxx spdx-sbom.json
If there are vulnerabilities you'll see an output similar to the following:
If the Sonatype OSS Index doesn't return any vulnerabilities you'll see something like the following:
Entire folder scan
This is good for when you receive multiple SBOMs from a vendor for the same product. Or, maybe you want to find out what vulnerabilities you have in your entire organization. A folder scan will find all components, de-duplicate them, and then scan them for vulnerabilities.
# scan a folder of SBOMs (the following command will scan a folder in your current folder named "sboms")
bomber scan --username=xxx --token=xxx ./sboms
You'll see a similar result to what a Single SBOM scan will provide.
Advanced stuff
If you wish, you can set two environment variables to store your credentials, and not have to type them on the command line. Check out the Environment Variables information later in this README.
Development
Overview
In order to use contribute and participate in the development of bomber you'll need to have an updated Go environment. Before you start, please view the Contributing and Code of Conduct files in this repository.
Prerequisites
This project makes use of DKFM tools such as Hookz, Hinge, and other open source tooling. Install these tools with the following commands:
go install github.com/devops-kung-fu/hookz@latest
go install github.com/devops-kung-fu/hinge@latest
go install github.com/kisielk/errcheck@latest
go install golang.org/x/lint/golint@latest
go install github.com/fzipp/gocyclo@latest
Getting Started
Once you have installed Hookz and have cloned this repository, execute the following in the root directory:
hookz init --verbose --debug --verbose-output
This will configure the pre-commit hooks to check code quality, tests, update all dependencies, etc. before code gets committed to the remote repository.
Building
Use the Makefile to build, test, or do pre-commit checks.
Remember that this is a go module, so there is no entry point. You can execute any test function though in your preferred IDE.
Testing
Environment Variables
The testing framework is set up to use environment variables that are found in a file called test.env in the root directory of the project. This file has been added to the .gitignore file in this project so it will be ignored if it exists in your file structure when committing the code. If you are running tests, this file should exist and have the following values configured:
BOMBER_PROVIDER_USERNAME={{your OSS Index user name}}
BOMBER_PROVIDER_TOKEN={{your OSS Index API Token}}
To load this file, you use the following command in your terminal before opening an editor such as Visual Studio Code (from your terminal).
export $(cat *.env)
Software Bill of Materials
bomber uses the CycloneDX and SPDX to generate a Software Bill of Materials every time a developer commits code to this repository (as long as Hookzis being used and is has been initialized in the working directory). More information for CycloneDX is available here. SPDX information is available here.
The current CycloneDX SBoM for bomber is available here, and the SPDX formatted SBoM is available here.
Credits
A big thank-you to our friends at Smashicons for the bomber logo.
Big kudos to our OSS homies at Sonatype for providing a wicked tool like the Sonatype OSS Index.
Documentation
¶
There is no documentation for this package.
Source Files
Directories