Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you’ve asked a vendor for an Software Bill of Materials (SBOM) for one of their closed source products, and they provided one to you in a JSON file… now what?

The first thing you’re going to want to do is see if any of the components listed inside the SBOM have security vulnerabilities, and what kind of licenses these components have.

This will help you identify what kind of risk you will be taking on by using the product.

Finding security vulnerabilities and license information for components identified in a SBOM is exactly what bomber is meant to do.

bomber can read any JSON or XML based CycloneDX format, or a JSON SPDX or Syft formatted SBOM, and tell you pretty quickly if there are any vulnerabilities.

Table Of Contents

• Open vs. Closed Source
• Purpose
• Supported SBOM formats
• Providers
  • Provider Support
  • Provider Documentation
• Installation
  • Mac
  • Linux
• Using bomber
  • Single SBOM scan
  • Entire folder scan
• Output Formats
  • HTML Output
  • JSON Output
  • Markdown Output
• Ignoring Vulnerabilities
• Filtering Output
• Data Enrichment
  • Exploit Prediction Scoring System (EPSS)
• Advanced stuff
  • Scanning SBOMs from STDIN
  • Environment Variables
• Experimental Features
  • Highest Severity Return Codes (Experimental)
  • OpenAI AI Enriched HTML Report Output
• Messing around
• Notes
• Contributing
• Software Bill of Materials
• Sponsors
• Credits

Open vs. Closed Source

Software can either be open or closed source. You can look at third party components you’ll find in Github, or any public source repository as open source.

Technically, the software you create internally at your own company is open source as well – it’s not public, but your internal teams can see it.

Closed source software can also be internal, but usually this is software that you purchase from external vendors.

Companies can use SCA tools provided by vendors such as Github, Sonatype, Snyk, etc. to scan any kind of open source and provide vulnerability data – and even generate SBOMs in some cases. What they can’t do (yet…) is scan closed source software that you don’t have visibility into.

This is where SBOMs and bomber come into play. SBOMs provide the composition of software that you can’t access, and bomber determines if anything in the SBOM has vulnerabilities.

Purpose

We created bomber to scan the closed source SBOMs that are provided when you receive them from vendors. It can scan open source SBOMs too, and technically you could use bomber as an open source SCA tool if you wanted to.

Supported SBOM formats

There are quite a few SBOM formats available today. bomber supports the following:

• SPDX
• CycloneDX
• Syft

Providers

bomber supports multiple sources for vulnerability information. We call these providers. Currently, bomber uses OSV as the default provider, but you can also use the Github Advisory Database, the Sonatype OSS Index, or Snyk.

At this time, please note that OSV is free and does not require any credentials to use, Sonatype OSS Index is free but requires you to register and obtain a token, and Snyk support requires a Snyk license.

In addition to data bomber collects from Providers, it also enriches vulnerability data with extra information such as exploitation probabilities.

Provider Support

Please note that each provider supports different ecosystems, so if you’re not seeing any vulnerabilities in one, try another. An ecosystem is simply the package manager, or type of package.

Examples include rpm, npm, gems, etc. It is important to understand that each provider may report different vulnerabilities. If in doubt, look at a few of them.

If bomber does not find any vulnerabilities, it doesn’t mean that there aren’t any. All it means is that the provider being used didn’t detect any, or it doesn’t support the ecosystem.

Some providers have vulnerabilities that come back with no Severity information. In this case, the Severity will be listed as “UNDEFINED”

Provider Documentation

Provider documentation for bomber can be found:

Snyk

OSV

GitHub Advisory Database

OSSINDEX

For more information click here.