Speed increase for OSV, GitHub provider work, Documentation Update (d…

…evops-kung-fu#249) * feat: Massive speed increase for OSV by using batches * fix: fixes case when there are no aliases * fix: returns the CVE as the vulnerability id in the OSV Provider if it is an alias * chore: Updated documentation * fix: JSON output should only output json, fixed an issue where it would output the file name. Added a better JSON output screenshot to the README.md * refactor: Add SupportedEcosystems method to Provider interface This commit adds the SupportedEcosystems method to the Provider interface in the models package. The method returns a slice of strings representing the supported ecosystems by the provider. This change allows providers to declare the ecosystems they support, which can be used for validation and information display.
mcombuechen · Sep 23, 2024 · 692b3e4 · 692b3e4
1 parent f2d3912
commit 692b3e4
Show file tree

Hide file tree

Showing 32 changed files with 6,827 additions and 463 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -11,7 +11,8 @@
                 "golang.org/x/vuln/cmd/govulncheck@latest",
                 "honnef.co/go/tools/cmd/staticcheck@latest"
             ]
-        }
+        },
+        "ghcr.io/dasiths/devcontainer-features/syft:1": {}
     },
     "customizations": {
         "vscode": {
@@ -73,7 +74,8 @@
                 "Github.copilot",
                 "markis.code-coverage",
                 "Gruntfuggly.todo-tree",
-                "esbenp.prettier-vscode"
+                "esbenp.prettier-vscode",
+                "Tyriar.luna-paint"
             ]
         }
     }

diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -5,16 +5,16 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": "Debug File (gad)",
+            "name": "Debug File (github provider)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
             "args": [
-                "--provider=gad",
+                "--provider=github",
                 "--debug=true",
                 "scan",
-                "./_TESTDATA_/sbom/small.cyclonedx.json"
+                "./_TESTDATA_/sbom/merged/sbom_specver1.6.json"
             ]
         },
         {
@@ -27,7 +27,20 @@
                 "--provider=ossindex",
                 "--debug=true",
                 "scan",
-                "./_TESTDATA_/sbom/small.cyclonedx.json"
+                "./_TESTDATA_/sbom/jena-kafka-1.4.0-SNAPSHOT-bom.json"
+            ]
+        },
+                {
+            "name": "Debug File (osv)",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/main.go",
+            "args": [
+                "--provider=osv",
+                "--debug=true",
+                "scan",
+                "./_TESTDATA_/sbom/jena-kafka-1.4.0-SNAPSHOT-bom.json"
             ]
         },
         {

diff --git a/README.md b/README.md
@@ -16,6 +16,41 @@ The first thing you're going to want to do is see if any of the components liste
 
 Finding security vulnerabilities and license information for components identified in a SBOM is exactly what `bomber` is meant to do. `bomber` can read any JSON or XML based [CycloneDX](https://cyclonedx.org) format, or a JSON [SPDX](https://spdx.dev) or [Syft](https://github.com/anchore/syft) formatted SBOM, and tell you pretty quickly if there are any vulnerabilities.
 
+## Table of Contents
+
+- [Open vs. Closed Source](#open-vs-closed-source)
+- [Purpose](#purpose)
+- [Supported SBOM formats](#supported-sbom-formats)
+- [Providers](#providers)
+  - [Provider Support](#provider-support)
+  - [Provider Documentation](#provider-documentation)
+- [Installation](#installation)
+  - [Mac](#mac)
+  - [Linux](#linux)
+- [Using bomber](#using-bomber)
+  - [Single SBOM scan](#single-sbom-scan)
+  - [Entire folder scan](#entire-folder-scan)
+- [Output Formats](#output-formats)
+  - [HTML Output](#html-output)
+  - [JSON Output](#json-output)
+  - [Markdown Output](#markdown-output)
+- [Ignoring Vulnerabilities](#ignoring-vulnerabilities)
+- [Filtering Output](#filtering-output)
+- [Data Enrichment](#data-enrichment)
+  - [Exploit Prediction Scoring System (EPSS)](#exploit-prediction-scoring-system-epss)
+- [Advanced stuff](#advanced-stuff)
+  - [Scanning SBOMs from STDIN](#scanning-sboms-from-stdin)
+  - [Environment Variables](#environment-variables)
+- [Experimental Features](#experimental-features)
+  - [Highest Severity Return Codes (Experimental)](#highest-severity-return-codes-experimental)
+  - [OpenAI AI Enriched HTML Report Output](#openai-ai-enriched-html-report-output)
+- [Messing around](#messing-around)
+- [Notes](#notes)
+- [Contributing](#contributing)
+- [Software Bill of Materials](#software-bill-of-materials)
+- [Sponsors](#sponsors)
+- [Credits](#credits)
+
 ### Open vs. Closed Source
 
 Software can either be open or closed source. You can look at third party components you'll find in Github, or any public source repository as open source. Technically, the software you create internally at your own company is open source as well - it's not public, but your internal teams can see it. Closed source software can also be internal, but usually this is software that you purchase from external vendors.
@@ -38,7 +73,7 @@ There are quite a few SBOM formats available today. `bomber` supports the follow
 
 ![](img/providers/banner.png)
 
-`bomber` supports multiple sources for vulnerability information. We call these _providers_. Currently, `bomber` uses [OSV](doc/providers/osv.md) as the _default_ provider, but you can also use the [Sonatype OSS Index](doc/providers/ossindex.md), or [Snyk](doc/providers/snyk.md).
+`bomber` supports multiple sources for vulnerability information. We call these _providers_. Currently, `bomber` uses [OSV](doc/providers/osv.md) as the _default_ provider, but you can also use the [Github Advisory Database](docs/providers/github.md), the [Sonatype OSS Index](doc/providers/ossindex.md), or [Snyk](doc/providers/snyk.md).
 
 At this time, please note that [OSV](doc/providers/osv.md) is free and does not require any credentials to use, [Sonatype OSS Index](doc/providers/ossindex.md) is free but requires you to register and obtain a token, and [Snyk](doc/providers/snyk.md) support requires a Snyk license.
 
@@ -55,6 +90,7 @@ If `bomber` does not find any vulnerabilities, it doesn't mean that there aren't
 Provider documentation for `bomber` can be found:
 
 - [OSV](doc/providers/osv.md)
+- [GitHub Advisory Database](doc/providers/github.md)
 - [OSSINDEX](doc/providers/ossindex.md)
 - [Snyk](doc/providers/snyk.md)
 
@@ -101,9 +137,9 @@ If the provider finds vulnerabilities you'll see an output similar to the follow
 
 ![](img/bomber-example.png)
 
-If the provider doesn't return any vulnerabilities you'll see something like the following:
+If the provider doesn't return any vulnerabilities you'll see a message saying no vulnerabilities were found. 
 
-![](img/bomber-example-novulns.png)
+__NOTE:__ Just because may not have found any vulnerabilities using a specified provider doesn't mean there are no vulnerabilities. Please try the other providers that bomber supports.
 
 ### Entire folder scan
 

diff --git a/_TESTDATA_/sbom/bomber.cyclonedx.1.6.json b/_TESTDATA_/sbom/bomber.cyclonedx.1.6.json