Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False negative scans when using bomber on SBOM with Cyclone CDX SpecVersion 1.6 #242

Closed
clobraico-hf opened this issue Sep 18, 2024 · 3 comments · Fixed by #249
Closed

False negative scans when using bomber on SBOM with Cyclone CDX SpecVersion 1.6 #242

clobraico-hf opened this issue Sep 18, 2024 · 3 comments · Fixed by #249
Assignees
@djschleen
Labels
dependencies Pull requests that update a dependency file
Milestone
0.5.1

Comments

@clobraico-hf
Copy link

clobraico-hf commented Sep 18, 2024
edited
Loading

Problem

Running bomber on SBOMs with specVersion "1.6" is failing.

  • Scan works on the sbom_specver1.5.json file
    • ■ Scanning 77 packages for vulnerabilities...
  • Scan does not work on sbom_specver1.6.json file
    • ■ No packages were detected. Nothing has been scanned.

(Example SBOMs attached below)

Additional background

Version info:

  • bomber ver 0.5

sbom_specver1.5.json
sbom_specver1.6.json
@djschleen
Copy link
Member

Thanks for reporting this @clobraico-hf - I’m not sure the underlying library we use to parse CycloneDX files supports 1.6 yet. I may need to add a version check in the code to warn of this.

I’m actively working on a new release with a new GitHub Advisory Database vulnerability provider so I’ll get this triaged pretty quickly.

@djschleen djschleen self-assigned this Sep 20, 2024
@djschleen djschleen added this to the 0.5.1 milestone Sep 23, 2024
@djschleen djschleen added the dependencies Pull requests that update a dependency file label Sep 23, 2024
@djschleen
Copy link
Member

Hey @clobraico-hf , I put some checks in 0.5.1 that will display warnings if the ecosystem isn't supported for the provider used. The SBOM's you attached have packages in the conan ecosystem. This ecosystem isn't supported by OSV, but is supported by OSSINDEX.

@djschleen
Copy link
Member

Screenshot 2024-09-23 at 9 14 29 AM

Debug info of new checks

@djschleen djschleen linked a pull request Sep 23, 2024 that will close this issue
Speed increase for OSV, GitHub provider work, Documentation Update #249
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@djschleen djschleen

Labels
dependencies Pull requests that update a dependency file
Milestone
0.5.1
Development

Successfully merging a pull request may close this issue.

Speed increase for OSV, GitHub provider work, Documentation Update devops-kung-fu/bomber
2 participants
@djschleen @clobraico-hf