Vulnerabilities

An activity at the core of supply chain security is to compare the contents of a BOM, meaning all components of a product, to databases of known vulnerabilities.

For vulnerability interactions beyond reading, you need the VULN_MANAGEMENT permission. The section about Access Management describes how it is granted.

Detecting

BOMnipotent does not itself detect new vulnerabilities. One tool that can be used in combination with BOMnipotent is grype , which takes a BOM as input and produces a list of vulnerabilities as output. The grype tutorial contains some additional information on its usage. Other tools can be used as long as they provide output in CycloneDX JSON format .

Using the BOMnipotent Client, you can directly print the contents of a BOM and pipe it to grype.

bomnipotent_client bom get <BOM-NAME> <BOM-VERSION> | grype --output cyclonedx-json=./vuln.cdx.json

bomnipotent_client bom get <BOM-NAME> <BOM-VERSION> | grype -o cyclonedx-json=./vuln.cdx.json

This will check the software components agains several databases and add the result to the CycloneDX. It then stores all that in a file called “vuln.cdx.json” (or whichever other name you provide).

Grype currently has a small known bug that makes it forget the version of the main component when it adds the vulnerabilities. This is a bit problematic because BOMnipotent needs the version to uniquely identify a product. One possible workaround is to re-add the version to the document, for example via jq '.metadata.component.version = "<VERSION>"' "vuln.cdx.json" > "vuln_with_version.cdx.json". Starting with BOMnipotent v0.3.1 you can instead directly provide the version during the vulnerability upload, as described below.

Updating

The command to update the vulnerabilities associated with a BOM is

bomnipotent_client vulnerability update <VULNERABILITIES>

[INFO] Updated vulnerabilities of BOM vulny_0.1.0

The “<VULNERABILITIES>” argument needs to be a path to a file in CycloneDX JSON format.

Ideally, this file contains the name and version of the associated BOM, in which case they will automatically be read. If one of the values is missing (due to a known bug in grype, for example), you can provide it with an optional argument:

bomnipotent_client vulnerability update <VULNERABILITIES> --name=<NAME> --version=<VERSION>

bomnipotent_client vulnerability update <VULNERABILITIES> -n <NAME> -v <VERSION>

[INFO] Updated vulnerabilities of BOM BOMnipotent_1.0.0

Vulnerabilities are meant to updated periodically. Doing so will completely replace any previous vulnerabilities associated a BOM. The uploaded CycloneDX document thus needs to contain a full list of all known vulnerabilities.

You can only update vulnerabilities for a BOM that exists on the server:

[ERROR] Received response:
404 Not Found
BOM Schlagsahne_1.0.1 not found in database

Listing

The section about listing vulnerabilities in the documentation for consumers covers most aspects of listing vulnerabilities.

One aspect not mentioned there is the “–unassessed” option. With it, BOMnipotent Client lists only those vulnerabilities that have no CSAF document associated with it.

bomnipotent_client vulnerability list --unassessed

bomnipotent_client vulnerability list -u

╭─────────────┬─────────┬─────────────────────┬───────────────────────────┬───────┬──────────┬─────────┬─────────────────╮
│ Product     │ Version │ Vulnerability       │ Description               │ Score │ Severity │ TLP     │ CSAF Assessment │
├─────────────┼─────────┼─────────────────────┼───────────────────────────┼───────┼──────────┼─────────┼─────────────────┤
│ BOMnipotent │ 1.0.0   │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable  │       │ medium   │ Default │                 │
│             │         │                     │ panic in `Acceptor::accep │       │          │         │                 │
│             │         │                     │ t`                        │       │          │         │                 │
│ vulny       │ 0.1.0   │ GHSA-qg5g-gv98-5ffh │ rustls network-reachable  │       │ medium   │ Default │                 │
│             │         │                     │ panic in `Acceptor::accep │       │          │         │                 │
│             │         │                     │ t`                        │       │          │         │                 │
╰─────────────┴─────────┴─────────────────────┴───────────────────────────┴───────┴──────────┴─────────┴─────────────────╯
[ERROR] Found 2 unassessed vulnerabilities.

In this mode, BOMnipotent Client exits with a code indicating an error if and only if there are unassessed vulnerabilites. This makes it easy to integrate this call in your periodic CI/CD.

You can freely combine this option with specifying a product name or version:

bomnipotent_client vulnerability list <NAME> <VERSION> --unassessed

bomnipotent_client vulnerability list <NAME> <VERSION>  -u

[INFO] No unassessed vulnerabilities found