--ignore-file option not working

[sssylvester]

Using your test data I see the following:

$ bomber scan bomber.spdx.json

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.4.8
CVE-2022-31163

■ Ecosystems detected: golang
■ Scanning 29 packages for vulnerabilities...
■ Vulnerability Provider: OSV Vulnerability Database (https://osv.dev)

■ Files Scanned
	bomber.spdx.json (sha256:60c66f7d1fc34c3f907efa9c8125fedbdb3ea3b6b4b53d4aacbdd885a679d435)

╭────────┬──────┬─────────┬─────────────┬────────────────────────────────────┬────────╮
│ TYPE   │ NAME │ VERSION │ SEVERITY    │ VULNERABILITY                      │ EPSS % │
├────────┼──────┼─────────┼─────────────┼────────────────────────────────────┼────────┤
│ golang │ text │ v0.3.7  │ UNSPECIFIED │ CVE-2022-32149,GHSA-69ch-w2m2-3vjp │ N/A    │
│        │      ├─────────┼─────────────┼────────────────────────────────────┼────────┤
│        │      │ v0.3.7  │ HIGH        │ CVE-2022-32149,GO-2022-1059        │ N/A    │
╰────────┴──────┴─────────┴─────────────┴────────────────────────────────────┴────────╯

Total vulnerabilities found: 2

╭─────────────┬───────╮
│ RATING      │ COUNT │
├─────────────┼───────┤
│ HIGH        │     1 │
├─────────────┼───────┤
│ UNSPECIFIED │     1 │
├─────────────┼───────┤
│ UNSPECIFIED │     1 │
╰─────────────┴───────╯


NOTES:

1. The list of vulnerabilities displayed may differ from provider to provider. This list
   may not contain all possible vulnerabilities. Please try the other providers that bomber
   supports (osv, ossindex, snyk)
2. EPSS Percentage indicates the % chance that the vulnerability will be exploited. This
   value will assist in prioritizing remediation. For more information on EPSS, refer to
   https://www.first.org/epss/`

Then if I point to an ignore file (https://github.com/devops-kung-fu/bomber/blob/main/_TESTDATA_/ignore/bomber.ignore) I get this:

$ bomber --ignore-file=bomber.ignore scan bomber.spdx.json

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.4.8

■ Ecosystems detected: golang
■ Scanning 29 packages for vulnerabilities...
■ Vulnerability Provider: OSV Vulnerability Database (https://osv.dev)

| Fetching vulnerability data from osv

It seems to scan the database, but then report is never output and a zero exit code is returned.
It doesn't seem to matter what sbom or ignore file I use.

This is being run on Amazon Linux 2023

[djschleen]

Hey @sssylvester, thanks for reporting this. I'll take a look and see what's going on.

[pbailey-hf]

I traced this issue down on Windows and proposed a fix in #213. I welcome any feedback. I can't explain why the global variable seems to be causing issues.

[pbailey-hf]

OK I dug in a little more and discovered it was due to shadowing loader.