search

devops-kung-fu / bomber

Scans Software Bill of Materials (SBOMs) for security vulnerabilities
https://devops-kung-fu.github.io/bomber/
Mozilla Public License 2.0
497 stars 43 forks source link

Bomber not correctly detecting versions from CycloneDX BOM resulting in false positives #245

Closed rvesse closed 6 days ago

rvesse commented 1 week ago

We're generating SBOMs using the Maven CycloneDX plugin in our projects, one of our developers was using bomber for vulnerability scans and had several false positives reported because bomber does not appear to be detecting the version information despite it being present in the SBOM

Sample SBOM: jena-kafka-1.4.0-SNAPSHOT-bom.json

This is from repository https://github.com/telicent-oss/jena-fuseki-kafka

Bomber output:

$ 
 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.5.0

■ Scanning Files:
    target/jena-kafka-1.4.0-SNAPSHOT-bom.json
■ Ecosystems detected: maven
■ Scanning 79 packages for vulnerabilities...
■ Vulnerability Provider: OSV Vulnerability Database (https://osv.dev) 

■ Files Scanned
    target/jena-kafka-1.4.0-SNAPSHOT-bom.json (sha256:60838e3b0079a5925af4e2053ba53d28a40039a867f32539b2f67cfdfc445ec8)

■ Licenses Found: Apache-2.0, BSD-2-Clause, MIT, EPL-2.0, GPL-2.0-with-classpath-exception, CC0-1.0, BSD-3-Clause

╭───────┬──────────────────────┬─────────┬──────────┬────────────────┬────────╮
│ TYPE  │ NAME                 │ VERSION │ SEVERITY │ VULNERABILITY  │ EPSS % │
├───────┼──────────────────────┼─────────┼──────────┼────────────────┼────────┤
│ maven │ snappy-java          │         │ MODERATE │ CVE-2023-34454 │ N/A    │
│       │                      ├─────────┼──────────┼────────────────┼────────┤
│       │                      │         │ MODERATE │ CVE-2023-34453 │ N/A    │
│       │                      ├─────────┼──────────┼────────────────┼────────┤
│       │                      │         │ HIGH     │ CVE-2023-43642 │ N/A    │
│       │                      ├─────────┼──────────┼────────────────┼────────┤
│       │                      │         │ HIGH     │ CVE-2023-34455 │ N/A    │
│       ├──────────────────────┼─────────┼──────────┼────────────────┼────────┤
│       │ commons-collections4 │         │ HIGH     │ CVE-2015-6420  │ N/A    │
│       │                      ├─────────┼──────────┼────────────────┼────────┤
│       │                      │         │ CRITICAL │ CVE-2015-7501  │ N/A    │
╰───────┴──────────────────────┴─────────┴──────────┴────────────────┴────────╯

Total vulnerabilities found: 6

╭──────────┬───────╮
│ RATING   │ COUNT │
├──────────┼───────┤
│ CRITICAL │     1 │
├──────────┼───────┤
│ HIGH     │     3 │
├──────────┼───────┤
│ MODERATE │     2 │
╰──────────┴───────╯

NOTES:

1. The list of vulnerabilities displayed may differ from provider to provider. This list
   may not contain all possible vulnerabilities. Please try the other providers that bomber
   supports (osv, ossindex, snyk)
2. EPSS Percentage indicates the % chance that the vulnerability will be exploited. This
   value will assist in prioritizing remediation. For more information on EPSS, refer to
   https://www.first.org/epss/
3. An EPSS Percentage showing as N/A means that no EPSS data was available for the vulnerability
   or the --enrich=epss flag was not set when running bomber

Note that the VERSION column is empty, doing a mvn dependency:tree and grep`ing the dependencies in question show all are using up to date versions that are not vulnerable. Inspecting the SBOM manually shows that it does include the correct version for each dependency so not sure why Bomber isn't detecting this.

djschleen commented 6 days ago

I'll take a look!

djschleen commented 6 days ago

Fixed the versioning... there looks like no vulnerabilities in that SBOM (as of now - I scanned using OSV and OSSINDEX)