Closed luhring closed 2 years ago
Full SBOM attached: sbom.tar.gz
@luhring Looks like a few things happening here. The first one I'm going to look at is why bomber doesn't think this is a valid SBoM, I'm going to add some more debug logging and trace through the load of this file. It looks like it didn't get to the PURL parsing routines. It should at the very least say how many packages it found.
The second thing is that bomber passes out the PURLS to the providers, in the case right now its OSS Index. OSS Index doesn't support the deb ecosystem so once bomber would get the PURLs from the SBOM, nothing would be found. That said, I'm going to be implementing OSV this week as the default provider, with OSS Index being an alternate. That's going to bring in deb scanning, and a bunch of other ecosystems.
I'll use the provided SBOM to test all this with
Thanks, sounds great! 🙏
@luhring So I found two issues, the first is that bomber didn't think the file was a valid SPDX file. I corrected this in my dj-wip branch, and will release that. The big issue is the SPDX format in general. When the ubuntu-latest.spdx.json file was generated, it didn't put any purls in the output. The way SPDX does purls is through the External References (which is really strange). I generated the same command in cyclonedx format and got the purls in my latest code, but nothing was found (I used the OSV provider that I'm writing up now.
Still looking into this, but may just focus on code rather than OS package scanning for bomber if I go down a rabbit hole. I am implementing snyk in the newest code as well, so I'll find out if that provider tosses any info back.
I'm seeing some cases where
bomber
doesn't appear to be performing a vulnerability scan on the supplied SBOM, but it still reports "no vulnerabilities found" and exits 0. I'd recommend paying careful attention when reporting "no vulnerabilities found" to users, to avoid creating a false sense of security and eroding trust in the tool.I installed
bomber
using the Homebrew instructions on the README. And here I'm using Syft version 0.54.0.In contrast, when I use Grype, it scans the SBOM for vulnerabilities correctly: