search

devops-kung-fu / bomber

Scans Software Bill of Materials (SBOMs) for security vulnerabilities
https://devops-kung-fu.github.io/bomber/
Mozilla Public License 2.0
495 stars 43 forks source link

Fetch data from VulnerableCode #98

Open pombredanne opened 1 year ago

pombredanne commented 1 year ago

@djschleen @juliojimenez This may be of interest to you guys: I have just launched https://public.vulnerablecode.io/

VulnerableCode is an open source vulnerability database (code at https://github.com/nexb/vulnerablecode ) that is keyed by package-url/purl like OSSindex (that has also adopted the purl spec that I created originally for ScanCode and VulnerableCode) . It is the only open source code and open data correlated and aggregated vulnerability database I know of. Some of its code is reused by Google OSV.

You can run a full instance of VulnerableCode independently or use the public service as you prefer. We provide seed data to speed up offline install and usage. And we started to publish a new mapping of legacy CPE to purl at https://github.com/nexB/vulnerablecode-purl2cpe

It has a new, experimental vulntotal total tool: https://github.com/nexB/vulnerablecode/pull/801 ... like virustotal but for vulnerability databases comparison and it can compare the results of a purl query to VulnerableCode, OSSIndex, Snyk, Google, OSV, GitHub and GitLab at once and tells you which DB reports which vulnerability or not! which is pretty interesting. Like a live benchmark. So far, VulnerableCode is not doing too bad and holding its own against the proprietary databases! Because of the terms of services of each of these proprietary databases, the tool is not hostable centrally and you need to run the CLI locally. The input is a purl.

In addition, purldb is a new companion database of all the purls at https://github.com/nexB/purldb/ that can come handy for lookup and validation.

Both are extensively based on and use package-url/purl (I created and co-lead https://github.com/package-url/purl-spec and libraries FWIW).

So in a nutshell, these goodies may be of some interest for you to check out. And if you find them not too shabby, and you care to reuse some of them, ping me if I can help you out and I will.

djschleen commented 1 year ago

Oh yes! @juliojimenez and I were tracking your project and we'll definitely hook this up!

We have an open issue that to support air gapped environments and this could help for that.

djschleen commented 1 year ago

@pombredanne Just letting you know this is still on our radar :)