This section covers typical use cases for consumers of supply chain security documents. In this context, “consumer” refers to a person or automation that has reading access (limited or unrestricted) to BOMs, vulnerabilities or CSAF documents.
Bills of Materials stand at the forefront of both BOMnipotents functionality and name. A BOM is a list of all components that make up a product. In the context of cybersecurity, the most prominent variant is the Software Bill of Materials (SBOM), but BOMs allow for more general considerations as well.
Running
bomnipotent_client bom listwill list all BOMs accessible to you:
╭─────────────┬─────────┬─────────────────────────┬───────────┬────────────╮
│ Product │ Version │ Timestamp │ TLP │ Components │
├─────────────┼─────────┼─────────────────────────┼───────────┼────────────┤
│ BOMnipotent │ 1.0.0 │ 2025-02-01 03:31:50 UTC │ TLP:WHITE │ 363 │
│ BOMnipotent │ 1.0.1 │ 2025-02-01 03:31:50 UTC │ TLP:WHITE │ 363 │
│ vulny │ 0.1.0 │ 2025-02-02 06:51:40 UTC │ TLP:AMBER │ 63 │
╰─────────────┴─────────┴─────────────────────────┴───────────┴────────────╯BOMs with label TLP:WHITE / TLP:CLEAR are visible to everyone. In this example, your account has access to one BOM with label TLP:AMBER.
To create a local copy of all boms the server exposes to you, run:
bomnipotent_client bom download ./boms[INFO] Storing BOMs under ./bomsThis will store the BOMs in the provided folder ("./boms", in this example). It will create the folder structure if it does not already exist. The BOMs are stored in files following the naming scheme {product name}_{product version}.cdx.json.
To avoid inconsistent behaviour accross operating systems, the name and version of the product are converted into lowercase, and most special characters are replaced by an underscore ‘_’. This means that, in principle, different products could lead to the same filename. In that case, BOMnipotent will display a warning instead of silently overwriting a file.
tree ./boms/./boms/
├── bomnipotent_1.0.0.cdx.json
├── bomnipotent_1.0.1.cdx.json
└── vulny_0.1.0.cdx.json
1 directory, 3 filesBefore requesting files for download, BOMnipotent Client makes an inventory of the BOMs already present in the folder, and downloads only the missing ones.
BOMnipotent does not automatically replace existing files, even if they have changed on the server. It instead prints a warning message:
[WARN] File ./boms/white/2023/wid-sec-w-2023-0001.json already exists.
Use the "--overwrite" flag to replace it.
Skipping download to prevent data loss.You can tell BOMnipotent that you really want this file overwritten by using the “–overwrite” flag:
bomnipotent_client bom download ./boms --overwritebomnipotent_client bom download ./boms -oYou can directly display the contents of a single BOM to the consolte output by calling
bomnipotent_client bom get <NAME> <VERSION>{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:60d5a033-6d54-4ac4-a5fa-824d0b04c718",
"version": 1,
"metadata": {
"timestamp": "2025-02-23T07:23:33+01:00",
"tools": {
"components": [
...This is especially useful if you want to use the contents of this BOM in a script. For example, to check for vulnerabilities in the supply chain, you could call:
bomnipotent_client bom get <NAME> <VERSION> | grypeNAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
ring 0.17.10 0.17.12 rust-crate GHSA-4p46-pwfr-66x6 MediumThe purpose of a Bill of Materials is to catalogue components of a product. BOMnipotent Client can be used to list all packages etc. contained in any product that is accessible to your user account. Simply call the client with the arguments “component”, “list”, and then name and version of the product:
bomnipotent_client component list vulny 0.1.0╭──────────────┬─────────┬─────────┬───────────────────────────┬───────────────────────────╮
│ Name │ Version │ Type │ CPE │ PURL │
├──────────────┼─────────┼─────────┼───────────────────────────┼───────────────────────────┤
│ aho-corasick │ 1.1.3 │ library │ cpe:2.3:a:aho-corasick:ah │ pkg:cargo/aho-corasick@1. │
│ │ │ │ o-corasick:1.1.3:*:*:*:*: │ 1.3 │
│ │ │ │ *:*:* │ │
│ aws-lc-rs │ 1.12.2 │ library │ cpe:2.3:a:aws-lc-rs:aws-l │ pkg:cargo/aws-lc-rs@1.12. │
│ │ │ │ c-rs:1.12.2:*:*:*:*:*:*:* │ 2 │
│ aws-lc-sys │ 0.25.0 │ library │ cpe:2.3:a:aws-lc-sys:aws- │ pkg:cargo/aws-lc-sys@0.25 │
│ │ │ │ lc-sys:0.25.0:*:*:*:*:*:* │ .0 │
│ │ │ │ :* │ │
│ bindgen │ 0.69.5 │ library │ cpe:2.3:a:bindgen:bindgen │ pkg:cargo/bindgen@0.69.5 │
│ │ │ │ :0.69.5:*:*:*:*:*:*:* │ │
...This output is primarily meant to be human-readable. Using the --output=raw option makes it machine-readable in principle, but
downloading the complete BOM
is most likely preferable to parsing this table output.
A vendor of a product should periodically scan the BOM of a product for vulnerabilities, for example by using tools like grype . The next section explains how you as the user of a product can access these list.
To dispaly a list of known vulnerabilities affecting a product, call “vulnerability”, “list” and then name and version of the product:
bomnipotent_client vulnerability list vulny 0.1.0╭─────────┬─────────┬─────────────────────┬───────────────────────────┬───────┬──────────┬─────────┬─────────────────╮
│ Product │ Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessment │
├─────────┼─────────┼─────────────────────┼───────────────────────────┼───────┼──────────┼─────────┼─────────────────┤
│ vulny │ 0.1.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable │ │ medium │ Default │ │
│ │ │ │ panic in `Acceptor::accep │ │ │ │ │
│ │ │ │ t` │ │ │ │ │
╰─────────┴─────────┴─────────────────────┴───────────────────────────┴───────┴──────────┴─────────┴─────────────────╯Product name and version are optional positional arguments. If you do not provide a version, you will get the output for all versions of the product, and if you do not provide either, the output of all products accessible to you.
bomnipotent_client vulnerability list╭─────────────┬─────────┬─────────────────────┬───────────────────────────┬───────┬──────────┬─────────┬─────────────────╮
│ Product │ Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessment │
├─────────────┼─────────┼─────────────────────┼───────────────────────────┼───────┼──────────┼─────────┼─────────────────┤
│ BOMnipotent │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable │ │ medium │ Default │ │
│ │ │ │ panic in `Acceptor::accep │ │ │ │ │
│ │ │ │ t` │ │ │ │ │
│ vulny │ 0.1.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable │ │ medium │ Default │ │
│ │ │ │ panic in `Acceptor::accep │ │ │ │ │
│ │ │ │ t` │ │ │ │ │
╰─────────────┴─────────┴─────────────────────┴───────────────────────────┴───────┴──────────┴─────────┴─────────────────╯The output contains an ID for the vulnerability, a description, and a CVSS value and/or severity if available. It also contains a TLP Classification derived from that of the affected product, and ideally a CSAF Assessment by the vendor.
The CSAF document is a crucial part, because it tells you, the user of the product, how you should react to this supply chain vulnerability. Read the next section to find out how to access them.
When a vulnerability becomes known in one of the components of a product that you use, one of the most natural questions to ask is “What do I have to do now?”. The Common Security Advisory Format (CSAF) aims to provide an answer to that question in an automated fashion. It is a mainly machine-readable format for exchanging advisories about security vulnerabilities.
One of the main functionalities of BOMnipotent is to make distribution of CSAF documents as easy as possible. Any running instance of BOMnipotent Server acts as a “CSAF Provider” according to the OASIS standard .
Running
./bomnipotent_client csaf listwill give you a list of all CSAF documents accessible to you.
╭───────────────┬───────────────────────────┬──────────────────────┬──────────────────────┬────────┬───────────╮
│ ID │ Title │ Initial Release │ Current Release │ Status │ TLP │
├───────────────┼───────────────────────────┼──────────────────────┼──────────────────────┼────────┼───────────┤
│ BSI-2022-0001 │ CVRF-CSAF-Converter: XML │ 2022-03-17 13:03 UTC │ 2022-07-14 08:20 UTC │ final │ TLP:WHITE │
│ │ External Entities Vulnera │ │ │ │ │
│ │ bility │ │ │ │ │
╰───────────────┴───────────────────────────┴──────────────────────┴──────────────────────┴────────┴───────────╯Accesible CSAF documents are those that are either labeled TLP:WHITE/TLP:CLEAR, or that concern a product that you have been granted access to.
To locally mirror all CSAF documents accessible to you, run
bomnipotent_client csaf download ./csaf[INFO] Storing CSAF documents under ./csafThis will store th CSAF documents in the provided folder ("./csaf", in this example). It will create the folder structure if it does not already exist. The CSAF documents are stored in file paths following the naming scheme {tlp}/{initial_release_year}/{csaf_id}.json.
The filenames of CSAF documents follow a naming scheme defined by the OASIS standard : The ids are converted into lowercase, and most special characters are replaced by an underscore ‘_’. This means that, in principle, different CSAF documents could lead to the same filepath. In that case, BOMnipotent will display an error instead of silently overwriting a file.
tree ./csaf/./csaf/
└── white
└── 2022
└── bsi-2022-0001.jsonBefore requesting files for download, BOMnipotent Client makes an inventory of the CSAF documents already present in the folder, and downloads only the missing ones.
It is possible to only download a single file by providing the path as an additional argument:
bomnipotent_client csaf download ./csaf white/2022/bsi-2022-0001.jsonBOMnipotent does not automatically replace existing files, even if they have changed on the server. It instead prints a warning message:
[WARN] File ./csaf/white/2023/wid-sec-w-2023-0001.json already exists.
Use the "--overwrite" flag to replace it.
Skipping download to prevent data loss.You can tell BOMnipotent that you really want this file overwritten by using the “–overwrite” flag:
bomnipotent_client csaf download ./csaf --overwritebomnipotent_client csaf download ./csaf -oYou can directly display the contents of a single CSAF doc to the consolte output by calling
bomnipotent_client csaf get <ID>{
"document" : {
"aggregate_severity" : {
"text" : "mittel"
},
"category" : "csaf_base",
"csaf_version" : "2.0",
"distribution" : {
"tlp" : {
"label" : "WHITE",
...This is especially useful if you want to use the contents of this CSAF doc in a script.
To see exactly which products are covered by a CSAF advisory, run:
./bomnipotent_client product list╭───────────────────────────┬────────────────┬────────────────┬───────────────┬───────────╮
│ Product │ Vulnerability │ Status │ CSAF ID │ TLP │
├───────────────────────────┼────────────────┼────────────────┼───────────────┼───────────┤
│ CSAF Tools CVRF-CSAF-Conv │ CVE-2022-27193 │ known_affected │ BSI-2022-0001 │ TLP:WHITE │
│ erter 1.0.0-alpha │ │ │ │ │
│ CSAF Tools CVRF-CSAF-Conv │ CVE-2022-27193 │ known_affected │ BSI-2022-0001 │ TLP:WHITE │
│ erter 1.0.0-dev1 │ │ │ │ │
│ CSAF Tools CVRF-CSAF-Conv │ CVE-2022-27193 │ known_affected │ BSI-2022-0001 │ TLP:WHITE │
│ erter 1.0.0-dev2 │ │ │ │ │
│ CSAF Tools CVRF-CSAF-Conv │ CVE-2022-27193 │ known_affected │ BSI-2022-0001 │ TLP:WHITE │
│ erter 1.0.0-dev3 │ │ │ │ │
│ CSAF Tools CVRF-CSAF-Conv │ CVE-2022-27193 │ known_affected │ BSI-2022-0001 │ TLP:WHITE │
│ erter 1.0.0-rc1 │ │ │ │ │
│ CSAF Tools CVRF-CSAF-Conv │ CVE-2022-27193 │ first_fixed │ BSI-2022-0001 │ TLP:WHITE │
│ erter 1.0.0-rc2 │ │ │ │ │
│ CSAF Tools CVRF-CSAF-Conv │ CVE-2022-27193 │ fixed │ BSI-2022-0001 │ TLP:WHITE │
│ erter 1.0.0-rc2 │ │ │ │ │
╰───────────────────────────┴────────────────┴────────────────┴───────────────┴───────────╯