Vulnerabilities
List
To dispaly a list of known vulnerabilities accessible to you, call:
bomnipotent_client vulnerability list[INFO]
╭──────────────┬─────────────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬───────────┬────────────────────────────╮
│ Product Name │ Product Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessments │
├──────────────┼─────────────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼───────────┼────────────────────────────┤
│ Best Project │ 3.1.4 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ TLP:GREEN │ │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ │
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ known_affected, according │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ to ghsa-qg5g-gv98-5ffh_adv │
│ │ │ │ │ │ │ │ isory │
│ Your Project │ 1.1.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ fixed, according to ghsa-q │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ g5g-gv98-5ffh_advisory, re │
│ │ │ │ │ │ │ │ commended, according to gh │
│ │ │ │ │ │ │ │ sa-qg5g-gv98-5ffh_advisory │
╰──────────────┴─────────────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴───────────┴────────────────────────────╯
The output contains an ID for the vulnerability, a description, and a CVSS value and/or severity if available. It also contains a TLP Classification derived from that of the affected product, and ideally a CSAF Assessment by the vendor.
The list can be filtered by name and/or version of the affected product:
bomnipotent_client vulnerability list --name="Your Project" --version="1.0.0"bomnipotent_client vulnerability list -n "Your Project" -v "1.0.0"[INFO]
╭──────────────┬─────────────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬─────────┬────────────────────────────╮
│ Product Name │ Product Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessments │
├──────────────┼─────────────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼─────────┼────────────────────────────┤
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ known_affected, according │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ to ghsa-qg5g-gv98-5ffh_adv │
│ │ │ │ │ │ │ │ isory │
╰──────────────┴─────────────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴─────────┴────────────────────────────╯
To display only those vulnerabilities that are not yet covered by a CSAF advisory, call:
bomnipotent_client vulnerability list --unassessedbomnipotent_client vulnerability list -u[INFO]
╭──────────────┬─────────────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬───────────┬──────────────────╮
│ Product Name │ Product Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessments │
├──────────────┼─────────────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼───────────┼──────────────────┤
│ Best Project │ 3.1.4 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ TLP:GREEN │ │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ │
╰──────────────┴─────────────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴───────────┴──────────────────╯
[ERROR] Found 1 unassessed vulnerabilities.
The behaviour here is special: If there are any unassessed vulnerabilities, the client will return an error code. This is meant to ease the integration with scripts that regularly check for new vulnerabilities, as is for example described in the section about CI/CD .
Listing only vulnerabilities that have an advisory is also possible, but does not exhibit any special client behaviour:
bomnipotent_client vulnerability list --unassessed=falsebomnipotent_client vulnerability list -u false[INFO]
╭──────────────┬─────────────────┬─────────────────────┬────────────────────────────┬───────┬──────────┬─────────┬────────────────────────────╮
│ Product Name │ Product Version │ Vulnerability │ Description │ Score │ Severity │ TLP │ CSAF Assessments │
├──────────────┼─────────────────┼─────────────────────┼────────────────────────────┼───────┼──────────┼─────────┼────────────────────────────┤
│ Your Project │ 1.0.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ known_affected, according │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ to ghsa-qg5g-gv98-5ffh_adv │
│ │ │ │ │ │ │ │ isory │
│ Your Project │ 1.1.0 │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable p │ │ medium │ Default │ fixed, according to ghsa-q │
│ │ │ │ anic in `Acceptor::accept` │ │ │ │ g5g-gv98-5ffh_advisory, re │
│ │ │ │ │ │ │ │ commended, according to gh │
│ │ │ │ │ │ │ │ sa-qg5g-gv98-5ffh_advisory │
╰──────────────┴─────────────────┴─────────────────────┴────────────────────────────┴───────┴──────────┴─────────┴────────────────────────────╯
The CSAF document is a crucial part of vulnerability handling, because it tells you, the user of the product, how you should react to this supply chain vulnerability. Read the next section to find out how to access them.
Existence
The "exist" subcommand checks how many entries on the server match some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.
Depending on the output mode, the client prints:
- normal mode: a sentence including the number of found objects.
- code: The string "200" if at least one item was found, or "404" if none were found.
- raw: The number of entries that were found.
bomnipotent_client vulnerability exist --name="Your Project" --version="1.0.0"bomnipotent_client vulnerability exist -n "Your Project" -v "1.0.0"[INFO] The server contains 1 vulnerabilities matching the filters.