search

devops-kung-fu / bomber

Scans Software Bill of Materials (SBOMs) for security vulnerabilities
https://devops-kung-fu.github.io/bomber/
Mozilla Public License 2.0
513 stars 45 forks source link

Vulnerability Database management #238

Open anthonyharrison opened 2 months ago

anthonyharrison commented 2 months ago

Each time bomber is run, the vulnerability database is downloaded. For multiple scans of SBOMs, this is not ideal and it would be good if the database download could be controlled particularly if the data has already been downloaded. Having a continually changing vulnerability baseline isn't ideal either.

Suggested enhancements:

1/ Cache the database download and only download a new copy if the data is older than X (default is 24 hours but could be a command line or configuration parameter) 2/ Add a command line to just use the existing data (regardless of how old it is). 3/ To allow the tool to operate in an offline (or air-gapped environment), provide options to import and export a vulnerability database. 4/ If the data already exists elsewhere in the system (e.g. because it has been used by an other tool), provide a filepath to the data to use.

djschleen commented 1 month ago

Hwy Anthony! I’ll definitely dig into this. I like the idea of having bomber configurable to utilize offline data. Right now it is fully connected and doesn’t cache anything.