bomber is an application that scans SBOMs for security vulnerabilities. So you’ve asked a vendor for an Software Bill of Materials (SBOM) for one of their closed source products, and they provided one to you in a JSON file… now what?
The first thing you’re going to want to do is see if any of the components listed inside the SBOM have security vulnerabilities, and what kind of licenses these components have.
This will help you identify what kind of risk you will be taking on by using the product.
Finding security vulnerabilities and license information for components identified in a SBOM is exactly what bomber is meant to do.
bomber can read any JSON or XML based CycloneDX format, or a JSON SPDX or Syft formatted SBOM, and tell you pretty quickly if there are any vulnerabilities.
Software can either be open or closed source. You can look at third party components you’ll find in Github, or any public source repository as open source.
Technically, the software you create internally at your own company is open source as well – it’s not public, but your internal teams can see it.
Closed source software can also be internal, but usually this is software that you purchase from external vendors.
Companies can use SCA tools provided by vendors such as Github, Sonatype, Snyk, etc. to scan any kind of open source and provide vulnerability data – and even generate SBOMs in some cases. What they can’t do (yet…) is scan closed source software that you don’t have visibility into.
This is where SBOMs and bomber come into play. SBOMs provide the composition of software that you can’t access, and bomber determines if anything in the SBOM has vulnerabilities.
We created bomber to scan the closed source SBOMs that are provided when you receive them from vendors. It can scan open source SBOMs too, and technically you could use bomber as an open source SCA tool if you wanted to.
There are quite a few SBOM formats available today. bomber supports the following:
bomber supports multiple sources for vulnerability information. We call these providers. Currently, bomber uses OSV as the default provider, but you can also use the Github Advisory Database, the Sonatype OSS Index, or Snyk.
At this time, please note that OSV is free and does not require any credentials to use, Sonatype OSS Index is free but requires you to register and obtain a token, and Snyk support requires a Snyk license.
In addition to data bomber collects from Providers, it also enriches vulnerability data with extra information such as exploitation probabilities.
Please note that each provider supports different ecosystems, so if you’re not seeing any vulnerabilities in one, try another. An ecosystem is simply the package manager, or type of package.
Examples include rpm, npm, gems, etc. It is important to understand that each provider may report different vulnerabilities. If in doubt, look at a few of them.
If bomber does not find any vulnerabilities, it doesn’t mean that there aren’t any. All it means is that the provider being used didn’t detect any, or it doesn’t support the ecosystem.
Some providers have vulnerabilities that come back with no Severity information. In this case, the Severity will be listed as “UNDEFINED”
Provider documentation for bomber can be found:
Snyk
OSV
GitHub Advisory Database
OSSINDEX
For more information click here.
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…