Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--ignore-file option not working #204

Open
sssylvester opened this issue Feb 29, 2024 · 3 comments
Open

--ignore-file option not working #204

sssylvester opened this issue Feb 29, 2024 · 3 comments
Assignees
Labels
bug Something isn't working

Comments

@sssylvester
Copy link

Using your test data I see the following:

$ bomber scan bomber.spdx.json

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.4.8
CVE-2022-31163

■ Ecosystems detected: golang
■ Scanning 29 packages for vulnerabilities...
■ Vulnerability Provider: OSV Vulnerability Database (https://osv.dev)

■ Files Scanned
	bomber.spdx.json (sha256:60c66f7d1fc34c3f907efa9c8125fedbdb3ea3b6b4b53d4aacbdd885a679d435)

╭────────┬──────┬─────────┬─────────────┬────────────────────────────────────┬────────╮
│ TYPE   │ NAME │ VERSION │ SEVERITY    │ VULNERABILITY                      │ EPSS % │
├────────┼──────┼─────────┼─────────────┼────────────────────────────────────┼────────┤
│ golang │ text │ v0.3.7  │ UNSPECIFIED │ CVE-2022-32149,GHSA-69ch-w2m2-3vjp │ N/A    │
│        │      ├─────────┼─────────────┼────────────────────────────────────┼────────┤
│        │      │ v0.3.7  │ HIGH        │ CVE-2022-32149,GO-2022-1059        │ N/A    │
╰────────┴──────┴─────────┴─────────────┴────────────────────────────────────┴────────╯

Total vulnerabilities found: 2

╭─────────────┬───────╮
│ RATING      │ COUNT │
├─────────────┼───────┤
│ HIGH        │     1 │
├─────────────┼───────┤
│ UNSPECIFIED │     1 │
├─────────────┼───────┤
│ UNSPECIFIED │     1 │
╰─────────────┴───────╯


NOTES:

1. The list of vulnerabilities displayed may differ from provider to provider. This list
   may not contain all possible vulnerabilities. Please try the other providers that bomber
   supports (osv, ossindex, snyk)
2. EPSS Percentage indicates the % chance that the vulnerability will be exploited. This
   value will assist in prioritizing remediation. For more information on EPSS, refer to
   https://www.first.org/epss/`

Then if I point to an ignore file (https://github.com/devops-kung-fu/bomber/blob/main/_TESTDATA_/ignore/bomber.ignore) I get this:

$ bomber --ignore-file=bomber.ignore scan bomber.spdx.json

 ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
 █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.4.8

■ Ecosystems detected: golang
■ Scanning 29 packages for vulnerabilities...
■ Vulnerability Provider: OSV Vulnerability Database (https://osv.dev)

| Fetching vulnerability data from osv

It seems to scan the database, but then report is never output and a zero exit code is returned.
It doesn't seem to matter what sbom or ignore file I use.

This is being run on Amazon Linux 2023

@djschleen djschleen self-assigned this Mar 8, 2024
@djschleen djschleen added the bug Something isn't working label Mar 8, 2024
@djschleen
Copy link
Member

Hey @sssylvester, thanks for reporting this. I'll take a look and see what's going on.

@pbailey-hf
Copy link
Contributor

I traced this issue down on Windows and proposed a fix in #213. I welcome any feedback. I can't explain why the global variable seems to be causing issues.

@pbailey-hf
Copy link
Contributor

OK I dug in a little more and discovered it was due to shadowing loader.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Development

No branches or pull requests

3 participants