Scanning with Github provider not working #256
Description
I tried scanning with the new github provider and it does not find any vulnerabilities. My SBOM includes known vulnerabilities that I can find in GitHub's advisory database but bomber always reports
No vulnerabilities found using the github provider
When scanning the same SBOM with the ossindex provider bomber reports the vulnerabilities. I am providing a small example.
$ bomber scan example-sbom.json --provider=ossindex
__ __
/ / ___ __ _ / / ___ ____
/ _ \/ _ \/ ' \/ _ \/ -_) __/
/_.__/\___/_/_/_/_.__/\__/_/
DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.5.1
■ Scanning Files:
example-sbom.json
■ Ecosystems detected: pypi
■ Provider supported ecosystems: maven,npm,golang,pypi,nuget,gem,cargo,pod,composer,conan,conda,cran,rpm,swift
■ Scanning 1 packages for vulnerabilities...
■ Vulnerability Provider: Sonatype OSS Index (https://ossindex.sonatype.org)
■ Files Scanned
example-sbom.json (sha256:554f8446ef6d2f523fedd062b47b2d475d472ad4333687587e831e08d06b432a)
■ Licenses Found: Apache-2.0
╭──────┬──────┬─────────┬──────────┬────────────────┬────────╮
│ TYPE │ NAME │ VERSION │ SEVERITY │ VULNERABILITY │ EPSS % │
├──────┼──────┼─────────┼──────────┼────────────────┼────────┤
│ pypi │ rsa │ 4.9 │ MODERATE │ CVE-2020-25658 │ N/A │
╰──────┴──────┴─────────┴──────────┴────────────────┴────────╯
Total vulnerabilities found: 1
╭──────────┬───────╮
│ RATING │ COUNT │
├──────────┼───────┤
│ MODERATE │ 1 │
╰──────────┴───────╯
NOTES:
1. The list of vulnerabilities displayed may differ from provider to provider. This list
may not contain all possible vulnerabilities. Please try the other providers that bomber
supports (osv, ossindex, snyk)
2. EPSS Percentage indicates the % chance that the vulnerability will be exploited. This
value will assist in prioritizing remediation. For more information on EPSS, refer to
https://www.first.org/epss/
3. An EPSS Percentage showing as N/A means that no EPSS data was available for the vulnerability
or the --enrich=epss flag was not set when running bomber
$ bomber scan example-sbom.json --provider=github
__ __
/ / ___ __ _ / / ___ ____
/ _ \/ _ \/ ' \/ _ \/ -_) __/
/_.__/\___/_/_/_/_.__/\__/_/
DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.5.1
■ Scanning Files:
example-sbom.json
■ Ecosystems detected: pypi
■ Provider supported ecosystems: github-actions,composer,erlang,golang,maven,npm,nuget,pypi,pypi,rubygems,cargo
■ Scanning 1 packages for vulnerabilities...
■ Vulnerability Provider: GitHub Advisory Database (https://github.com/advisories)
■ Files Scanned
example-sbom.json (sha256:554f8446ef6d2f523fedd062b47b2d475d472ad4333687587e831e08d06b432a)
■ Licenses Found: Apache-2.0
No vulnerabilities found using the github provider
NOTE: Just because bomber didn't find any vulnerabilities using the github provider doesn't
mean there are no vulnerabilities. Please try the other providers that bomber
supports (osv, github, ossindex)