This section covers typical use cases for consumers of supply chain security documents. In this context, “consumer” refers to a person or automation that has reading access (limited or unrestricted) to BOMs, vulnerabilities or CSAF documents.
Bills of Materials stand at the forefront of both BOMnipotents functionality and name. A BOM is a list of all components that make up a product. In the context of cybersecurity, the most prominent variant is the Software Bill of Materials (SBOM), but BOMs allow for more general considerations as well.
Running the following command will list all BOMs accessible to you:
bomnipotent_client bom list[INFO]
╭────────────────────────┬─────────┬─────────────────────────┬───────────┬────────────╮
│ Product │ Version │ Timestamp │ TLP │ Components │
├────────────────────────┼─────────┼─────────────────────────┼───────────┼────────────┤
│ Best Project │ 3.1.4 │ 2025-01-01 10:11:12 UTC │ TLP:GREEN │ 75 │
│ Your Project │ 1.0.0 │ 2025-01-01 10:11:12 UTC │ Default │ 75 │
│ Your Project │ 1.1.0 │ 2025-01-01 10:11:12 UTC │ Default │ 75 │
│ Your Project Container │ 1.2.3 │ 2025-01-01 10:11:12 UTC │ TLP:WHITE │ 939 │
╰────────────────────────┴─────────┴─────────────────────────┴───────────┴────────────╯
BOMs with label TLP:WHITE / TLP:CLEAR are visible to everyone. In this example, your account has access to one BOM with label TLP:AMBER.
The command accepts the optional filters “name” and “version”:
bomnipotent_client bom list --name="Your Project" --version="1.0.0"bomnipotent_client bom list -n "Your Project" -v "1.0.0"[INFO]
╭──────────────┬─────────┬─────────────────────────┬─────────┬────────────╮
│ Product │ Version │ Timestamp │ TLP │ Components │
├──────────────┼─────────┼─────────────────────────┼─────────┼────────────┤
│ Your Project │ 1.0.0 │ 2025-01-01 10:11:12 UTC │ Default │ 75 │
╰──────────────┴─────────┴─────────────────────────┴─────────┴────────────╯
To create a local copy of all boms the server exposes to you, run:
bomnipotent_client bom download /home/boms[INFO] Storing BOMs under /home/boms
This will store the BOMs in the provided folder ("./boms", in this example). It will create the folder structure if it does not already exist. The BOMs are stored in files following the naming scheme {product name}_{product version}.cdx.json.
To avoid inconsistent behaviour accross operating systems, the name and version of the product are converted into lowercase, and most special characters are replaced by an underscore ‘_’. This means that, in principle, different products could lead to the same filename. In that case, BOMnipotent will display a warning instead of silently overwriting a file.
tree /home/boms//home/boms/
|-- best_project_3.1.4.cdx.json
|-- your_project_1.0.0.cdx.json
|-- your_project_1.1.0.cdx.json
`-- your_project_container_1.2.3.cdx.json
1 directory, 4 files
Before requesting files for download, BOMnipotent Client makes an inventory of the BOMs already present in the folder, and downloads only the missing ones.
BOMnipotent does not automatically replace existing files, even if they have changed on the server. It instead prints a warning message:
bomnipotent_client bom download /home/boms[WARN] File ./boms/bomnipotent_1.0.0.cdx.json already exists.
Use the "--overwrite" flag to replace it.
Skipping download to prevent data loss.You can tell BOMnipotent that you really want this file overwritten by using the “–overwrite” flag:
bomnipotent_client bom download /home/boms --overwritebomnipotent_client bom download /home/boms -oAnalogously to the list command, the download command accepts the filters “name” and “version”, to only download a subset of BOMs:
bomnipotent_client bom download /home/boms --name="Your Project" --version="1.0.0"bomnipotent_client bom download /home/boms -n "Your Project" -v "1.0.0"[INFO] Storing BOMs under /home/boms
You can directly display the contents of a single BOM to the console output by calling
bomnipotent_client bom get "Your Project" "1.0.0" | grep -v "serialNumber" | head -n 16{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"version": 1,
"metadata": {
"timestamp": "2025-01-01T10:11:12Z",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "syft",
"version": "1.27.1"
}
]
This is especially useful if you want to use the contents of this BOM in a script. For example, to check for vulnerabilities in the supply chain, you could call:
bomnipotent_client bom get "Your Project" "1.0.0" | grypeNAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS% RISK
rustls 0.23.15 0.23.18 rust-crate GHSA-qg5g-gv98-5ffh Medium N/A N/A
The "exists" subcommand checks whether or not at least one object on the server matches some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.
Depending on the output mode, the client prints:
bomnipotent_client bom exists --name="Your Project" --version="1.0.0"bomnipotent_client bom exists -n "Your Project" -v "1.0.0"[INFO] Yes, the server contains 1 BOMs matching the filters.
The purpose of a Bill of Materials is to catalogue components of a product. BOMnipotent Client can be used to list all packages etc. contained in any product that is accessible to your user account. Simply call the client with the arguments “component”, “list”, and then name and version of the product:
bomnipotent_client component list "Your Project" "1.0.0" | awk 'NR <= 16'[INFO]
╭────────────────────────────┬────────────────────────────┬─────────┬────────────────────────────┬────────────────────────────╮
│ Name │ Version │ Type │ CPE │ PURL │
├────────────────────────────┼────────────────────────────┼─────────┼────────────────────────────┼────────────────────────────┤
│ /home/your_project/Cargo.l │ │ file │ │ │
│ ock │ │ │ │ │
│ aho-corasick │ 1.1.3 │ library │ cpe:2.3:a:aho-corasick:aho │ pkg:cargo/aho-corasick@1.1 │
│ │ │ │ -corasick:1.1.3:*:*:*:*:*: │ .3 │
│ │ │ │ *:* │ │
│ aws-lc-rs │ 1.13.1 │ library │ cpe:2.3:a:aws-lc-rs:aws-lc │ pkg:cargo/aws-lc-rs@1.13.1 │
│ │ │ │ -rs:1.13.1:*:*:*:*:*:*:* │ │
│ aws-lc-sys │ 0.29.0 │ library │ cpe:2.3:a:aws-lc-sys:aws-l │ pkg:cargo/aws-lc-sys@0.29. │
│ │ │ │ c-sys:0.29.0:*:*:*:*:*:*:* │ 0 │
│ bindgen │ 0.69.5 │ library │ cpe:2.3:a:bindgen:bindgen: │ pkg:cargo/bindgen@0.69.5 │
│ │ │ │ 0.69.5:*:*:*:*:*:*:* │ │
│ bitflags │ 2.9.1 │ library │ cpe:2.3:a:bitflags:bitflag │ pkg:cargo/bitflags@2.9.1 │
The command accepts the optional filters “name”, “version”, “type”, “cpe” and “purl” (not all used here for the sake of breviy):
bomnipotent_client component list "Your Project" "1.0.0" --name=aho-corasick --version=1.1.3 --type=librarybomnipotent_client component list "Your Project" "1.0.0" -n aho-corasick -v 1.1.3 -t library[INFO]
╭──────────────┬─────────┬─────────┬────────────────────────────┬────────────────────────────╮
│ Name │ Version │ Type │ CPE │ PURL │
├──────────────┼─────────┼─────────┼────────────────────────────┼────────────────────────────┤
│ aho-corasick │ 1.1.3 │ library │ cpe:2.3:a:aho-corasick:aho │ pkg:cargo/aho-corasick@1.1 │
│ │ │ │ -corasick:1.1.3:*:*:*:*:*: │ .3 │
│ │ │ │ *:* │ │
╰──────────────┴─────────┴─────────┴────────────────────────────┴────────────────────────────╯
This output is primarily meant to be human-readable. Using the --output=raw option makes it machine-readable in principle, but
downloading the complete BOM
is most likely preferable to parsing this table output.
A vendor of a product should periodically scan the BOM of a product for vulnerabilities, for example by using tools like grype . The next section explains how you as the user of a product can access these list.
To dispaly a list of known vulnerabilities accessible to you, call:
bomnipotent_client vulnerability list[INFO]
╭──────────────┬─────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬─────────┬─────────────────╮
│ Product │ Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessment │
├──────────────┼─────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼─────────┼─────────────────┤
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ │
│ Your Project │ 1.1.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ │
╰──────────────┴─────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴─────────┴─────────────────╯
The output contains an ID for the vulnerability, a description, and a CVSS value and/or severity if available. It also contains a TLP Classification derived from that of the affected product, and ideally a CSAF Assessment by the vendor.
The list can be filtered by name and/or version of the affected product:
bomnipotent_client vulnerability list --name="Your Project" --version="1.0.0"bomnipotent_client vulnerability list -n "Your Project" -v "1.0.0"[INFO]
╭──────────────┬─────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬─────────┬─────────────────╮
│ Product │ Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessment │
├──────────────┼─────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼─────────┼─────────────────┤
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ │
╰──────────────┴─────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴─────────┴─────────────────╯
To display only those vulnerabilities that are not yet covered by a CSAF advisory, call:
bomnipotent_client vulnerability list --unassessedbomnipotent_client vulnerability list -u[INFO]
╭──────────────┬─────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬─────────┬─────────────────╮
│ Product │ Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessment │
├──────────────┼─────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼─────────┼─────────────────┤
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ │
│ Your Project │ 1.1.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ │
╰──────────────┴─────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴─────────┴─────────────────╯
[ERROR] Found 2 unassessed vulnerabilities.
The behaviour here is special: If there are any unassessed vulnerabilities, the client will return an error code. This is meant to ease the integration with scripts that regularly check for new vulnerabilities, as is for example described in the section about CI/CD .
Listing only vulnerabilities that have an advisory is also possible, but does not exhibit any special client behaviour:
bomnipotent_client vulnerability list --unassessed=falsebomnipotent_client vulnerability list -u false[INFO]
╭─────────┬─────────┬───────────────┬─────────────┬───────┬──────────┬─────┬─────────────────╮
│ Product │ Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessment │
├─────────┼─────────┼───────────────┼─────────────┼───────┼──────────┼─────┼─────────────────┤
The CSAF document is a crucial part of vulnerability handling, because it tells you, the user of the product, how you should react to this supply chain vulnerability. Read the next section to find out how to access them.
The "exists" subcommand checks whether or not at least one object on the server matches some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.
Depending on the output mode, the client prints:
bomnipotent_client vulnerability exists --name="Your Project" --version="1.0.0"bomnipotent_client vulnerability exists -n "Your Project" -v "1.0.0"[INFO] Yes, the server contains 1 vulnerabilities matching the filters.
When a vulnerability becomes known in one of the components of a product that you use, one of the most natural questions to ask is “What do I have to do now?”. The Common Security Advisory Framework (CSAF) aims to provide an answer to that question in an automated fashion. It is a mainly machine-readable format for exchanging advisories about security vulnerabilities.
One of the main functionalities of BOMnipotent is to make distribution of CSAF documents as easy as possible. Any running instance of BOMnipotent Server acts as a “CSAF Provider” according to the OASIS standard .
Running the following command will give you a list of all CSAF documents accessible to you:
bomnipotent_client csaf list[INFO]
╭────────────────────────────┬────────────────────────────┬─────────────────────────┬─────────────────────────┬────────┬───────────╮
│ ID │ Title │ Initial Release │ Current Release │ Status │ TLP │
├────────────────────────────┼────────────────────────────┼─────────────────────────┼─────────────────────────┼────────┼───────────┤
│ ghsa-qg5g-gv98-5ffh_adviso │ Network-reachable panic in │ 2025-01-01 10:11:12 UTC │ 2025-01-01 10:11:12 UTC │ final │ TLP:AMBER │
│ ry │ Your Product │ │ │ │ │
╰────────────────────────────┴────────────────────────────┴─────────────────────────┴─────────────────────────┴────────┴───────────╯
Accesible CSAF documents are those that are either labeled TLP:WHITE/TLP:CLEAR, or that concern a product that you have been granted access to.
The “csaf list” command allows quite a large number of filters, to display only some of all CSAF documents:
bomnipotent_client csaf list --before=2025-03-01T00:00:00Z --year=2025 --status=final --tlp=amberbomnipotent_client csaf list -b 2025-03-01T00:00:00Z -y 2025 -s final -t amber[INFO]
╭────────────────────────────┬────────────────────────────┬─────────────────────────┬─────────────────────────┬────────┬───────────╮
│ ID │ Title │ Initial Release │ Current Release │ Status │ TLP │
├────────────────────────────┼────────────────────────────┼─────────────────────────┼─────────────────────────┼────────┼───────────┤
│ ghsa-qg5g-gv98-5ffh_adviso │ Network-reachable panic in │ 2025-01-01 10:11:12 UTC │ 2025-01-01 10:11:12 UTC │ final │ TLP:AMBER │
│ ry │ Your Product │ │ │ │ │
╰────────────────────────────┴────────────────────────────┴─────────────────────────┴─────────────────────────┴────────┴───────────╯
To locally mirror all CSAF documents accessible to you, run
bomnipotent_client csaf download /home/csaf[INFO] Storing CSAF documents under /home/csaf
This will store th CSAF documents in the provided folder ("/home/csaf", in this example). It will create the folder structure if it does not already exist. The CSAF documents are stored in file paths following the naming scheme “{tlp}/{initial_release_year}/{csaf_id}.json”.
The filenames of CSAF documents follow a naming scheme defined by the OASIS standard : The ids are converted into lowercase, and most special characters are replaced by an underscore ‘_’. This means that, in principle, different CSAF documents could lead to the same filepath. In that case, BOMnipotent will display an error instead of silently overwriting a file.
tree /home/csaf//home/csaf/
`-- amber
`-- 2025
`-- ghsa-qg5g-gv98-5ffh_advisory.json
3 directories, 1 file
Before requesting files for download, BOMnipotent Client makes an inventory of the CSAF documents already present in the folder, and downloads only the missing ones.
It is possible to only download a single file by providing the path as an additional argument:
bomnipotent_client csaf download /home/csaf amber/2025/ghsa-qg5g-gv98-5ffh_advisory.json[INFO] Storing CSAF document under /home/csaf
BOMnipotent does not automatically replace existing files, even if they have changed on the server. It instead prints a warning message:
bomnipotent_client csaf download /home/csaf[WARN] File /home/csaf/white/2023/wid-sec-w-2023-0001.json already exists.
Use the "--overwrite" flag to replace it.
Skipping download to prevent data loss.You can tell BOMnipotent that you really want this file overwritten by using the “–overwrite” flag:
bomnipotent_client csaf download /home/csaf --overwritebomnipotent_client csaf download /home/csaf -oThe download command accepts exactly the same filters as the list command does, allowing to only download those documents that are relevant to you.
You can directly display the contents of a single CSAF doc to the consolte output by calling
bomnipotent_client csaf get ghsa-qg5g-gv98-5ffh_advisory | tail -n 16 "your_product_1.1.0"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-01-01T11:00:00.000Z",
"details": "Update to version 1.1.0.",
"product_ids": [
"your_product_1.0.0"
]
}
]
}
]
}
This is especially useful if you want to use the contents of this CSAF doc in a script.
The "exists" subcommand checks whether or not at least one object on the server matches some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.
Depending on the output mode, the client prints:
bomnipotent_client csaf exists --year=2023bomnipotent_client csaf exists -y 2023[INFO] No, the server does not contain any CSAF documents matching the filters.
To see exactly which products are covered by which CSAF advisory, run:
bomnipotent_client product list[INFO]
╭────────────────────────────┬────────────────────────────┬────────────────┬────────────────────────────┬───────────╮
│ Product │ Vulnerability │ Status │ CSAF ID │ TLP │
├────────────────────────────┼────────────────────────────┼────────────────┼────────────────────────────┼───────────┤
│ Best Vendor's Your Product │ Rustls network-reachable p │ known_affected │ ghsa-qg5g-gv98-5ffh_adviso │ TLP:AMBER │
│ v1.0.0 │ anic │ │ ry │ │
│ Best Vendor's Your Product │ Rustls network-reachable p │ fixed │ ghsa-qg5g-gv98-5ffh_adviso │ TLP:AMBER │
│ v1.0.0 │ anic │ │ ry │ │
│ Best Vendor's Your Product │ Rustls network-reachable p │ recommended │ ghsa-qg5g-gv98-5ffh_adviso │ TLP:AMBER │
│ v1.0.0 │ anic │ │ ry │ │
╰────────────────────────────┴────────────────────────────┴────────────────┴────────────────────────────┴───────────╯
The command accepts the optional filters “name”, “vulnerability”, “status” and “csaf”:
bomnipotent_client product list --status=known_affected --csaf="ghsa-qg5g-gv98-5ffh_advisory"bomnipotent_client product list -s known_affected -c "ghsa-qg5g-gv98-5ffh_advisory"[INFO]
╭────────────────────────────┬────────────────────────────┬────────────────┬────────────────────────────┬───────────╮
│ Product │ Vulnerability │ Status │ CSAF ID │ TLP │
├────────────────────────────┼────────────────────────────┼────────────────┼────────────────────────────┼───────────┤
│ Best Vendor's Your Product │ Rustls network-reachable p │ known_affected │ ghsa-qg5g-gv98-5ffh_adviso │ TLP:AMBER │
│ v1.0.0 │ anic │ │ ry │ │
╰────────────────────────────┴────────────────────────────┴────────────────┴────────────────────────────┴───────────╯
The "exists" subcommand checks whether or not at least one object on the server matches some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.
Depending on the output mode, the client prints:
bomnipotent_client product exists --status=known_affectedbomnipotent_client product exists -s known_affected[INFO] Yes, the server contains 1 products matching the filters.