bomber is an application that scans SBOMs for security vulnerabilities. Given an SBOM in CycloneDX, SPDX, or Syft format, it connects to either OSV.dev or OSS Index to determine if any packages in the SBOM have vulnerabilities.
How is this different from tools like Grype, etc? It's all in the ecosytems supported. Where most SBOM scanners only handle deb and rpm (containers), bomber handles code ecosystems like PyPI, rpm, gem, Cocoapods, etc.
developer-guy
commented
2 years ago
bomberis an application that scans SBOMs for security vulnerabilities. Given an SBOM in CycloneDX, SPDX, or Syft format, it connects to either OSV.dev or OSS Index to determine if any packages in the SBOM have vulnerabilities.How is this different from tools like Grype, etc? It's all in the ecosytems supported. Where most SBOM scanners only handle deb and rpm (containers),
bomberhandles code ecosystems like PyPI, rpm, gem, Cocoapods, etc.Check out https://github.com/devops-kung-fu/bomber for more information.