search

devops-kung-fu / bomber

Scans Software Bill of Materials (SBOMs) for security vulnerabilities
https://devops-kung-fu.github.io/bomber/
Mozilla Public License 2.0
516 stars 45 forks source link

Bomber is not finding packages in a SBOM file that has been converted using the CycloneDX Convert function #171

Open 6mile opened 1 year ago

6mile commented 1 year ago

The problem I am having is that bomber does NOT find any packages in a SBOM that has been converted by the cyclonedx-node covert process. The SBOM is generated from a javascript application.

To recreate for testing: Create a CycloneDX SBOM in JSON format: cyclonedx-node --output bomber-test.json

If we scan that SBOM with Bomber, it works: Screenshot 2023-08-03 at 2 12 31 pm

Now convert that CycloneDX SBOM to SPDX using the cyclonedx convert function: cat ./bomber-test.json | cyclonedx convert --input-format json --output-format spdxjson > ./converted-to-spdx.json

Now that you have a freshly converted SPDX format SBOM, run Bomber against it: bomber scan ./converted-to-spdx.json

Unfortunately, Bomber doesn't find any packages even thought there are many components listed in the converted SBOM: Screenshot 2023-08-02 at 3 49 11 pm

I'm attaching all files here so you can inspect them. bomber-files.zip

djschleen commented 1 year ago

Appreciate you attaching the files! We'll take a look.

djschleen commented 1 year ago

@mirxcle have you taken a look yet?

djschleen commented 11 months ago

Just touching this issue again. @mirxcle note that this is an SPDX file. I'd bet the schema isn't compatible with Bomber so we'll have to see if there's a half decent SPDX go module we can use rather than have to roll our own.