This tool scans Software Bills of Materials (SBOMs) for security vulnerabilities and license information, primarily targeting security analysts and developers who need to assess risks in third-party software components, especially closed-source products. It provides a quick way to identify potential security exposures within vendor-supplied SBOMs.

How It Works

Bomber processes SBOMs in various formats (CycloneDX, SPDX, Syft) and queries multiple vulnerability data providers (OSV, GitHub Advisory Database, Sonatype OSS Index, Snyk) to identify known vulnerabilities. It can enrich this data with exploit prediction scores (EPSS) and offers flexible output formats for reporting and integration. The approach allows users to scan both individual SBOM files and entire directories, de-duplicating components for comprehensive analysis.

Quick Start & Requirements

• Installation: Via Homebrew (brew install devops-kung-fu/homebrew-tap/bomber) on macOS, or by downloading and installing a .deb package on Linux.
• Prerequisites: Some providers (Sonatype OSS Index, Snyk) require credentials or licenses.
• Usage: bomber scan <sbom_file_or_directory>
• Docs: Provider documentation

Highlighted Details

• Supports multiple SBOM formats including CycloneDX, SPDX, and Syft.
• Integrates with multiple vulnerability providers: OSV (default, no credentials), GitHub Advisory Database, Sonatype OSS Index, and Snyk.
• Offers output formats: STDOUT (default), HTML, JSON, and Markdown.
• Includes experimental features like AI-enriched HTML reports (requires OpenAI API key) and exit codes based on vulnerability severity.

Maintenance & Community

• Actively developed with contributions from various individuals and mentions of support from Snyk and Sonatype.
• Information on contributing is available in CONTRIBUTING.md.

Licensing & Compatibility

• The README does not explicitly state the license for the bomber project itself. However, it mentions using tools and providers from Snyk and Sonatype, which have their own licensing terms.

Limitations & Caveats

• The AI-enriched HTML report feature is in a major alpha state, noted as extremely slow with unoptimized output.
• OSV provider integration is noted as potentially slow due to API limitations, requiring individual PURL lookups.
• License information is not always present in SBOMs and may require specific generator flags (e.g., --license for Syft).