Vulnerabilities
List
To dispaly a list of known vulnerabilities accessible to you, call:
Input (long variant)
bomnipotent_client vulnerability listInput (short variant)
bomnipotent_client vuln listOutput
[INFO]
╭──────────────┬─────────┬─────────────────────┬───────────┬────────────────────────────╮
│ Product Name │ Version │ Vulnerability │ TLP │ CSAF Assessments │
├──────────────┼─────────┼─────────────────────┼───────────┼────────────────────────────┤
│ Best Project │ 3.1.4 │ GHSA-qg5g-gv98-5ffh │ TLP:GREEN │ │
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ Default │ known_affected, according │
│ │ │ │ │ to ghsa-qg5g-gv98-5ffh_adv │
│ │ │ │ │ isory │
│ Your Project │ 1.1.0 │ GHSA-qg5g-gv98-5ffh │ Default │ fixed, according to ghsa-q │
│ │ │ │ │ g5g-gv98-5ffh_advisory, re │
│ │ │ │ │ commended, according to gh │
│ │ │ │ │ sa-qg5g-gv98-5ffh_advisory │
╰──────────────┴─────────┴─────────────────────┴───────────┴────────────────────────────╯
For even more details, add the “–full” flag:
Input (long variant) (available since version 1.5.0)
bomnipotent_client vulnerability list --fullInput (short variant)
bomnipotent_client vuln list -fOutput
[INFO]
╭──────────────┬─────────┬───────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬───────────┬──────────────────────┬────────────────────────────╮
│ Product Name │ Version │ Component │ Vulnerability │ Description │ Score │ Severity │ TLP │ Source │ CSAF Assessments │
├──────────────┼─────────┼───────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼───────────┼──────────────────────┼────────────────────────────┤
│ Best Project │ 3.1.4 │ │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ 6.9 │ medium │ TLP:GREEN │ github-language-rust │ │
│ │ │ │ │ anic in `Acceptor::accept` │ │ │ │ │ │
│ Your Project │ 1.0.0 │ │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ 6.9 │ medium │ Default │ github-language-rust │ known_affected, according │
│ │ │ │ │ anic in `Acceptor::accept` │ │ │ │ │ to ghsa-qg5g-gv98-5ffh_adv │
│ │ │ │ │ │ │ │ │ │ isory │
│ Your Project │ 1.1.0 │ │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ 6.9 │ medium │ Default │ github-language-rust │ fixed, according to ghsa-q │
│ │ │ │ │ anic in `Acceptor::accept` │ │ │ │ │ g5g-gv98-5ffh_advisory, re │
│ │ │ │ │ │ │ │ │ │ commended, according to gh │
│ │ │ │ │ │ │ │ │ │ sa-qg5g-gv98-5ffh_advisory │
╰──────────────┴─────────┴───────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴───────────┴──────────────────────┴────────────────────────────╯
The output contains an ID for the vulnerability, a description, and a CVSS value and/or severity if available. It also contains a TLP Classification derived from that of the affected product, and ideally a CSAF Assessment by the vendor.
The list can be filtered by name and/or version of the affected product:
Input (long variant)
bomnipotent_client vulnerability list --name="Your Project" --version="1.0.0"Input (short variant)
bomnipotent_client vuln list -n "Your Project" -v "1.0.0"Output
[INFO]
╭──────────────┬─────────┬─────────────────────┬─────────┬────────────────────────────╮
│ Product Name │ Version │ Vulnerability │ TLP │ CSAF Assessments │
├──────────────┼─────────┼─────────────────────┼─────────┼────────────────────────────┤
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ Default │ known_affected, according │
│ │ │ │ │ to ghsa-qg5g-gv98-5ffh_adv │
│ │ │ │ │ isory │
╰──────────────┴─────────┴─────────────────────┴─────────┴────────────────────────────╯
To display only those vulnerabilities that are not yet covered by a CSAF advisory, call:
Input (long variant)
bomnipotent_client vulnerability list --unassessedInput (short variant)
bomnipotent_client vuln list -uOutput
[WARN]
╭──────────────┬─────────┬─────────────────────┬───────────┬──────────────────╮
│ Product Name │ Version │ Vulnerability │ TLP │ CSAF Assessments │
├──────────────┼─────────┼─────────────────────┼───────────┼──────────────────┤
│ Best Project │ 3.1.4 │ GHSA-qg5g-gv98-5ffh │ TLP:GREEN │ │
╰──────────────┴─────────┴─────────────────────┴───────────┴──────────────────╯
[ERROR] Found 1 unassessed vulnerabilities.
The behaviour here is special: If there are any unassessed vulnerabilities, the client will return an error code. This is meant to ease the integration with scripts that regularly check for new vulnerabilities, as is for example described in the section about CI/CD.
Listing only vulnerabilities that have an advisory is also possible, but does not exhibit any special client behaviour:
Input (long variant)
bomnipotent_client vulnerability list --unassessed=falseInput (short variant)
bomnipotent_client vuln list -u falseOutput
[INFO]
╭──────────────┬─────────┬─────────────────────┬─────────┬────────────────────────────╮
│ Product Name │ Version │ Vulnerability │ TLP │ CSAF Assessments │
├──────────────┼─────────┼─────────────────────┼─────────┼────────────────────────────┤
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ Default │ known_affected, according │
│ │ │ │ │ to ghsa-qg5g-gv98-5ffh_adv │
│ │ │ │ │ isory │
│ Your Project │ 1.1.0 │ GHSA-qg5g-gv98-5ffh │ Default │ fixed, according to ghsa-q │
│ │ │ │ │ g5g-gv98-5ffh_advisory, re │
│ │ │ │ │ commended, according to gh │
│ │ │ │ │ sa-qg5g-gv98-5ffh_advisory │
╰──────────────┴─────────┴─────────────────────┴─────────┴────────────────────────────╯
The CSAF document is a crucial part of vulnerability handling, because it tells you, the user of the product, how you should react to this supply chain vulnerability. Read the next section to find out how to access them.
Existence
The "exist" subcommand checks how many entries on the server match some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.
Depending on the output mode, the client prints:
- normal mode: a sentence including the number of found objects.
- code: The string "200" if at least one item was found, or "404" if none were found.
- raw: The number of entries that were found.
Input (long variant)
bomnipotent_client vulnerability exist --name="Your Project" --version="1.0.0"Input (short variant)
bomnipotent_client vuln exist -n "Your Project" -v "1.0.0"Output
[INFO] The server contains 1 vulnerabilities matching the filters.
Analyze
Running the command “vulnerability analyze” and providing it with one or more filepaths to valid CycloneDX files displays the (combined) vulnerabilities of these BOMs:
Input (long variant) (available since version 1.2.0)
bomnipotent_client vulnerability analyze /home/your_project/vuln.cdx.jsonInput (short variant)
bomnipotent_client vuln analyze /home/your_project/vuln.cdx.jsonOutput
[INFO]
╭──────────────┬────────────┬───────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬─────────┬──────────────────────┬──────────────────╮
│ Product Name │ Version │ Component │ Vulnerability │ Description │ Score │ Severity │ TLP │ Source │ CSAF Assessments │
├──────────────┼────────────┼───────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼─────────┼──────────────────────┼──────────────────┤
│ Your Project │ 2026-03-31 │ │ GHSA-65p9-r9h6-22vj │ AWS-LC has Timing Side-Cha │ 8.2 │ high │ Default │ github-language-rust │ │
│ │ │ │ │ nnel in AES-CCM Tag Verifi │ │ │ │ │ │
│ │ │ │ │ cation │ │ │ │ │ │
│ Your Project │ 2026-03-31 │ │ GHSA-9f94-5g5w-gf6r │ CRL Distribution Point Sco │ 7.4 │ high │ Default │ github-language-rust │ │
│ │ │ │ │ pe Check Logic Error in AW │ │ │ │ │ │
│ │ │ │ │ S-LC │ │ │ │ │ │
│ Your Project │ 2026-03-31 │ │ GHSA-hfpc-8r3f-gw53 │ AWS-LC has PKCS7_verify Si │ 7.5 │ high │ Default │ github-language-rust │ │
│ │ │ │ │ gnature Validation Bypass │ │ │ │ │ │
│ Your Project │ 2026-03-31 │ │ GHSA-pwjx-qhcg-rvj4 │ webpki: CRLs not considere │ 4.4 │ medium │ Default │ github-language-rust │ │
│ │ │ │ │ d authoritative by Distrib │ │ │ │ │ │
│ │ │ │ │ ution Point due to faulty │ │ │ │ │ │
│ │ │ │ │ matching logic │ │ │ │ │ │
│ Your Project │ 2026-03-31 │ │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ 6.9 │ medium │ Default │ github-language-rust │ │
│ │ │ │ │ anic in `Acceptor::accept` │ │ │ │ │ │
│ Your Project │ 2026-03-31 │ │ GHSA-vw5v-4f2q-w9xf │ AWS-LC has PKCS7_verify Ce │ 8.7 │ high │ Default │ github-language-rust │ │
│ │ │ │ │ rtificate Chain Validation │ │ │ │ │ │
│ │ │ │ │ Bypass │ │ │ │ │ │
╰──────────────┴────────────┴───────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴─────────┴──────────────────────┴──────────────────╯