Scanning with Github provider not working

[rjuengling-hf]

I tried scanning with the new github provider and it does not find any vulnerabilities. My SBOM includes known vulnerabilities that I can find in GitHub's advisory database but bomber always reports

No vulnerabilities found using the github provider

When scanning the same SBOM with the ossindex provider bomber reports the vulnerabilities. I am providing a small example.

$ bomber scan example-sbom.json --provider=ossindex


   __              __
  / /  ___  __ _  / /  ___ ____
 / _ \/ _ \/  ' \/ _ \/ -_) __/
/_.__/\___/_/_/_/_.__/\__/_/   

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.5.1

■ Scanning Files:
        example-sbom.json
■ Ecosystems detected: pypi
■ Provider supported ecosystems:  maven,npm,golang,pypi,nuget,gem,cargo,pod,composer,conan,conda,cran,rpm,swift
■ Scanning 1 packages for vulnerabilities...
■ Vulnerability Provider: Sonatype OSS Index (https://ossindex.sonatype.org)

■ Files Scanned
        example-sbom.json (sha256:554f8446ef6d2f523fedd062b47b2d475d472ad4333687587e831e08d06b432a)

■ Licenses Found: Apache-2.0

╭──────┬──────┬─────────┬──────────┬────────────────┬────────╮
│ TYPE │ NAME │ VERSION │ SEVERITY │ VULNERABILITY  │ EPSS % │
├──────┼──────┼─────────┼──────────┼────────────────┼────────┤
│ pypi │ rsa  │ 4.9     │ MODERATE │ CVE-2020-25658 │ N/A    │
╰──────┴──────┴─────────┴──────────┴────────────────┴────────╯

Total vulnerabilities found: 1

╭──────────┬───────╮
│ RATING   │ COUNT │
├──────────┼───────┤
│ MODERATE │     1 │
╰──────────┴───────╯


NOTES:

1. The list of vulnerabilities displayed may differ from provider to provider. This list
   may not contain all possible vulnerabilities. Please try the other providers that bomber
   supports (osv, ossindex, snyk)
2. EPSS Percentage indicates the % chance that the vulnerability will be exploited. This
   value will assist in prioritizing remediation. For more information on EPSS, refer to
   https://www.first.org/epss/
3. An EPSS Percentage showing as N/A means that no EPSS data was available for the vulnerability
   or the --enrich=epss flag was not set when running bomber

$ bomber scan example-sbom.json --provider=github


   __              __
  / /  ___  __ _  / /  ___ ____
 / _ \/ _ \/  ' \/ _ \/ -_) __/
/_.__/\___/_/_/_/_.__/\__/_/   

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.5.1

■ Scanning Files:
        example-sbom.json
■ Ecosystems detected: pypi
■ Provider supported ecosystems:  github-actions,composer,erlang,golang,maven,npm,nuget,pypi,pypi,rubygems,cargo
■ Scanning 1 packages for vulnerabilities...
■ Vulnerability Provider: GitHub Advisory Database (https://github.com/advisories)

■ Files Scanned
        example-sbom.json (sha256:554f8446ef6d2f523fedd062b47b2d475d472ad4333687587e831e08d06b432a)

■ Licenses Found: Apache-2.0

No vulnerabilities found using the github provider

NOTE: Just because bomber didn't find any vulnerabilities using the github provider doesn't
mean there are no vulnerabilities. Please try the other providers that bomber
supports (osv, github, ossindex)

example-sbom.json
GAD entry