Vulnerability Database management

[anthonyharrison]

Each time bomber is run, the vulnerability database is downloaded. For multiple scans of SBOMs, this is not ideal and it would be good if the database download could be controlled particularly if the data has already been downloaded. Having a continually changing vulnerability baseline isn't ideal either.

Suggested enhancements:

1/ Cache the database download and only download a new copy if the data is older than X (default is 24 hours but could be a command line or configuration parameter)
2/ Add a command line to just use the existing data (regardless of how old it is).
3/ To allow the tool to operate in an offline (or air-gapped environment), provide options to import and export a vulnerability database.
4/ If the data already exists elsewhere in the system (e.g. because it has been used by an other tool), provide a filepath to the data to use.

[djschleen]

Hwy Anthony! I’ll definitely dig into this. I like the idea of having bomber configurable to utilize offline data. Right now it is fully connected and doesn’t cache anything.